Storage Best Practices for Healthcare delivery organizations

Summary

Ineffective storage management, security and compliance are some of the key challenges that I&O leaders in regulated industries grapple with, and HDOs are no exception. This research provides best practices that address these challenges from a data storage standpoint.

Key Findings

  • Healthcare delivery organizations often have multiple departmental picture archiving and communication system (PACS) implementations, which results in storage silos that are difficult to manage.
  • Inadequate mechanisms to store, protect and access patient data often result in organizations struggling to adhere to local and national compliance laws concerning healthcare.
  • Increased adoption of mobility and cloud technologies lead to security challenges for healthcare delivery organizations. Related data breaches may result in penalties amounting to millions of dollars.

Recommendations

  • Use scale-out storage solutions that provide support for vendor-neutral archive (VNA) platforms to eliminate storage silos.
  • Choose storage vendors and service providers who offer storage solutions that are compliant with local and national privacy and security regulations or are willing to work with you to achieve this.
  • Choose vendors who provide secure enterprise file sync and share storage solutions.

Analysis

With the exponential growth in digital data, organizations face storage challenges, and healthcare delivery organizations (HDOs) are no exception. Large HDOs often have siloed storage infrastructure dedicated to departmental medical imaging systems. Departments such as radiology, cardiology, neurosurgery, endoscopy, mammography and pathology have their own PACS solutions with unique capabilities and data requirements. In addition to PACS solutions, departments also generate textual data such as Health Level 7 (HL7), continuity of care documents (CCD), which are categorized as content that is not compliant with Digital Imaging and Communications in Medicine (DICOM) standards, and, therefore, must be stored and managed (see Notes 1 and 2). This often results in infrastructure and operations (I&O) leaders of HDOs procuring storage for each department year over year that increases IT costs and complicates compliance and data management across the HDO.

Another challenge for I&O leaders in HDOs is to be compliant with local and national data protection and privacy regulations and laws. Data protection laws, when they exist and are enforced, vary from region to region. Developed countries have the most mature data protection and privacy frameworks. Table 1 lists the local and national laws of various regions and countries.

Table 1. Representative Data Protection and Privacy Regulations and Laws Concerning Healthcare

Region/CountryRegulationsLocal/National/Regional
U.S.HIPAA and HITECH ActsNational
U.K.Data Protection ActNational
CanadaPersonal Information Protection and Electronic Documents ActNational
Canada — OntarioThe Personal Health Information Protection Act (Ontario)Local
AustraliaPrivacy ActNational
European UnionData Protection Directive (Directive 95/46/EC)Regional
European Union and U.S.Safe Harbor Privacy PrinciplesRegional

In the U.S., organizations that create, retain and transmit protected health information (PHI) are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). These covered entities and their business associates must ensure that the infrastructure deployed meets privacy and security capabilities that are set forth in the healthcare industry rules.

With the increased adoption of public cloud for file sync and share and cloud storage, a large amount of data is shared, generated and stored on endpoint devices such as smartphones and tablets. Although it is very convenient to access and analyze patient information in this manner, there is a potential risk of data breaches, which may result in heavy penalties imposed on the HDO. Per the HITECH act, if more than 500 PHIs are stolen in a security breach, the HDO must immediately notify the affected individuals, U.S. Department of Health and Human Services (HHS) and the media. The HDO is also liable to pay penalties of up to $1.5 million USD in a year in severe cases of data breach. One example is a data breach that resulted in ePHIs of 6,800 individuals being available in the public domain as a result of two HDOs operating jointly over a shared data network. This noncompliance to HIPAA and HITECH resulted in a $4.8 million USD settlement — the largest so far.1

This research addresses the storage management, security and compliance challenges that I&O leaders in HDOs confront.

Vendor-neutral archives (VNAs) provide a single platform across the enterprise to store and consolidate medical images and associated information (see Note 3). VNAs can support and store unique image formats of each PACS solution along with nonimage data using DICOM protocols and HL7 connectors. In this scenario, electronic health records (EHR) systems can integrate with a single VNA platform and fetch the required patient information seamlessly.

Use Scale-Out Storage Systems That Integrate With Vendor-Neutral Archive Platforms to Eliminate Storage Silos

Given that storage systems have a direct bearing on VNA architectures, we recommend I&O leaders choose storage vendors that have partnered with healthcare technology providers to jointly deliver VNA solutions. A typical VNA solution consists of DICOM and HL7 connectors supplied by the VNA vendor, a content server platform, and the storage platform itself. For example, EMC’s medical image sharing and management solution includes the J4Heatthcare connector for DICOM and HL7 interfaces, the EMC Documentum Content server, database and the EMC storage platform. Table 2 provides a list of representative storage vendors and their healthcare solution partners.

Given that VNA solutions are expensive to deploy, I&O leaders in HDOs can migrate from their PACS solution to a VNA platform in a phased manner. The first step is to replace existing storage systems supporting the independent PACS solutions with a central scale-out storage system, which is part of the VNA platform. I&O leaders can start small, perhaps with a two- or four-node scale-out storage system that enables one or two PACS migrations to the VNA platform, and gradually scale to a larger configuration over multiple budget cycles.

Another key selection criterion for a VNA platform is the type of scale-out storage that needs to be deployed; for example, SAN, NAS or object storage. Object storage platforms are most suitable for VNAs because they can easily scale to petabytes capacity and stores files, images and data blocks as individual elements with unique identifiers. Other characteristics of object storage solutions include granular level security, robust multitenancy, data immutability and rich metadata capabilities. These features make object storage suitable for healthcare solutions, which generally require adequate data protection and retention for compliance reasons.

Table 2. Representative Storage Vendors and Their Healthcare Solution Offerings

Storage VendorStorage ProductsVNA Partner
CleversafedsNetMerge Healthcare
CaringoSwarmMerge Healthcare, Acuo, DeJarnette and TeraMedica
EMCIsilon, Atmos and CenteraTeraMedica and J4HealthCare
Hitachi Data SystemsHitachi Content Platform with HUS back-end SANVisbion
HPHP StoreAll 9000Acuo, DeJarnette and TeraMedica
IBMSONAS and V7000Acuo
NetAppFAS seriesAcuo, DeJarnette and TeraMedica

Additionally there are a number of data management software products from vendors such as CommVault, BridgeHead Software and HP that integrate with VNA platforms for archiving and data management.

Choose Storage Vendors and Service Providers Who Are Willing to Work With You to Meet Local and National Regulatory Requirements

Ensuring compliance can be tricky from a technology perspective, given the ambiguous nature of most data protection regulations. The first step is for I&O leaders to work with risk and compliance officers within their organizations to understand information security and compliance risks. I&O leaders must then work with storage vendors to ensure the storage solution that is proposed addresses these risks. The final step is to educate the IT team on local data protection and privacy laws so that they are empowered to better handle high-risk situations.

Using third-party managed service providers or cloud service providers poses its own set of challenges. According to the HIPAA omnibus final rule, data center service providers and cloud service providers are also categorized as business associates of the covered entities or subcontractors of the business associates, and, thus, become liable even if they do not directly access data.

Recommendations:

  • Start by using service providers for services that do not involve storing PHI, such as secure messaging, clinical communications and mobile device management. This will help the HDO to gauge the maturity level of the service provider.
  • Then perform a HIPAA risk assessment before considering using the data center service provider or a cloud service provider for storing ePHI data.
  • Shortlist only cloud service providers or data center providers who are willing to sign the business associate agreement.
  • Ensure storage security service levels provided by the service provider meet compliance requirements. Storage-related risks can be classified as administrator and user risks, workload and data management risks, physical infrastructure and implementation risks, and data life cycle management risks. Make sure your service provider has the appropriate technologies to ensure these risks are addressed.

Choose Vendors Who Provide Secure Enterprise File Sync and Share Storage Solutions

With the increased use of cloud and mobility related technologies, a significant amount of sensitive healthcare data is being accessed and managed at endpoints, such as mobile phones and tablets. Also, the use of personal cloud storage services to store sensitive data and collaborate with peers is on the rise. I&O leaders of HDOs need to ensure that the IT team is in control of any file sharing and collaboration solutions that are being used by the organization.

Recommendations:

  • When considering enterprise file synchronization and sharing (EFSS) offerings that are hosted on a public cloud, choose vendors who offer specialized solutions for healthcare. This will improve the likelihood of compliance. Ultimately, however, the responsibility for compliance falls to the HDO.
  • If possible, choose file sync and share vendors that integrate with existing, on-premises storage infrastructure and provide the service as a private cloud deployment. This will significantly reduce PHI exposure in the public domain.
  • To ensure adequate security, choose file sync and share solutions that provide features such as AD/LDAP integration, remote wipe capabilities, different levels of file sharing privileges and file change notifications.
  • I&O leaders must collaborate with information security officers and formulate a public cloud storage policy to contain use of personal cloud storage services for storing sensitive HDO data.

Tags:

Recommended Content

Simplify and accelerate technology-decision making for IT buyers and sellers.

Linkedin X-twitter Facebook Reddit
Quick Links
Get In Touch

© 2026 - All Rights Reserved. tech24, Inc.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .