One of my favorite film quotes is from Ebby Calvin LaLoosh (yes, that’s his name!) the erratic but talented Durham Bull’s baseball pitcher placed under the tutelage of Crash Davis, an experienced but somewhat over the hill catcher, made famous in the movie Bull Durham. “This is a very simple game,” Laloosh says. “You throw the ball; you catch the ball; you hit the ball. Sometimes you win; sometimes you lose; sometimes it rains.”

I find the later part of the quote to be quite insightful and very applicable to marketing and selling the SaaS model to healthcare organizations.  According to a recent InformationWeek survey of 150 organizations not using SaaS, the model raises two red flags in their IT departments:

1. Concerns over security
2. Concerns over data ownership

Any SaaS provider has experienced this bias. Many CIOs and CTOs insist that their data reside in their network and not at the SaaS-hosted site because of a wide spectrum of fears:

• Who can access the data?
• Is the data being shared with other organizations?
• What if the data is financial data or patient records?
• What happens to the data when the contract terminates?

If an organization’s tech execs completely discount SaaS and refuse to let their users evaluate the offering, the rain starts falling and the game is canceled on any effort to get the model adopted there.

So in the SaaS world how does one address these fears? Let’s look at each scenario.

Security

Keeping your own data may give you the illusion that your data is absolutely secure, but there are no guarantees. A case in point is the recent occurrence at a South Shore, Mass., hospital, which lost 800,000 patient and employee records on backup files (http://bit.ly/dt4MyT). There are other such incidents I could easily site as it seems like this type of occurrence happens every day.

The point is, making sure your data is secure – whether it’s kept internally or externally -- is paramount.  With SaaS, this verification is essential.

As I have mentioned in previous posts, the SAS70 Type 2 audit is an essential process that a SaaS provider should undertake. An independent auditing firm tests and reports on control objectives to ensure that the company has defined security procedures and, most importantly, that all employees follow these procedures. Auditors extract sample test cases from visitor logs, maintenance logs, virus scanning logs and system alerts. They then inspect firewall rules and changes. The audit is typically performed yearly, although I have come across some companies that perform them semi-annually. Upon completion, auditors provide a report to the SaaS provider indicating the test results.

If you are a SaaS consumer, you are entitled to a copy of your provider’s report. If you are evaluating a SaaS provider you will not be able to see a full report. In that case, ask for a letter attesting that a Type 2 audit was successfully performed.

I should mention are two types of reports. A Type 1 report only assesses the stated control objectives without any testing. A Type 2 report encompasses test cases and publishes results of the effectiveness of the objectives. In my opinion a Type 1 report provides no value to the SaaS consumer.

Data ownership

There are 2 aspects to the concern over data ownership.

1. Service Termination: A contract with a SaaS provider should indicate that at contract termination, data is turned over to the customer. This ensures that you will have access to the data and be able to populate your replacing application with the SaaS data.
2. In Service Access: This pertains to having your SaaS data available for you to download to your own servers. Any decent SaaS application will provide tools for data extraction to a format that can be used to import into another application such as CSV or pipe delimited files. The caveat here is that once the data is on the consumer’s premises the security onus is entirely on the user of SaaS and not the SaaS provider.

Are the concerns expressed above real? In my opinion they are, but with a thorough review of the SaaS contract, a successful SAS70 Type 2 audit and the ability for the software to provide data, these concerns can be mitigated. It’ll once again be time to play ball, as Ebby Laloosh might say!