Managing the Complexities of Consumer-grade Enterprise Platforms

Consumer-grade services (a.k.a., enterprise platforms) vendors include Google, Microsoft (MS), Accellion, Box, Dropbox, and others. The services (or applications or tools) provided by these vendors on their platforms include but are not limited to file storage / sharing and synchronization (FSS), mobile content management,  document management, and, perhaps, most importantly, project / team collaboration.

For example, Google’s comprehensive suite of cloud-based services, Google Drive (FSS), includes but is not limited to Google Docs (collaborative office / productivity apps, now housed in Google Drive), Google Mail/Calendar, and Google Sites (sharing information on secure intranets for project / team collaboration).  Box’s suite of cloud-based services includes but is not limited to mobile content management, project collaboration, a virtual data room, document management, and integration with Google Docs.  Historically, MS’ SharePoint had been associated with on-premise document management and intranet content management.  Over the years, broader, on-premise web applications were added to provide intranets, extranets, portals, and public-facing web sites as well as technologies, which provided team workflow automation and collaboration, sharing, and document editing services.  SharePoint 2013 offers services in the cloud (and on-premise), and it includes but is not limited to Office 365 (the famous office / productivity apps, which now can be rented rather than purchased), Outlook (calendar), Exchange (mail), records management, e-discovery, and search.

I have worked with most of the above services / platforms in healthcare organizations.  Since today’s digital experience is all about connecting and collaborating with others, I strongly believe the above services / platforms are important and useful for provider organizations primarily because most of the services (or applications or tools) are not present in provider organization line-of-business systems.  For example, with Google Drive, a resident can create a patient location spreadsheet in a cloud application, such as Google Docs, share it with a colleague(s), edit it on a tablet device, and push revisions to a collaboration site.  Blocking access to these services penalizes employees by not allowing them to use robust collaboration tools.

In addition, I strongly believe the internal, organizational policies and procedures, which are developed for such services, are sub-optimal at best.   Unfortunately, most FSS services do not encrypt content, possibly exposing content to interception in violation of regulatory obligations, such as HIPAA.  Yet organizational policies that manage encryption, backup and archiving for content sent through email or FTP systems typically are not applied to the content sent through FSS services!

If provider organizations were to deploy formal information governance (IG) principles (e.g., electronic records management principles) with many of these enterprise services / platforms, onerous access blocking could be eliminated and policies and procedures could be improved.  Unfortunately, like most services (or applications or tools), deploying IG principles for enterprise services is complex.  In addition, deployment requires resources with knowledge of and experience in the information governance principles.  However, the trade-off is that provider organizations can meet other legal, regulatory, and compliance requirements, such as e-discovery, without additional resources or effort.

Currently, many of the service / platform’s configurations and capabilities are NOT intended for long-term electronic record retention and security purposes and should NOT be used as healthcare organizations’ electronic repositories of official records. For example, no comprehensive, electronic records management / document management / content management functionality exists on Google Drive.  Once the record owners leave the organization and fail to reassign ownership, the official records could be subject to automatic deletion after x number of years!  However, Google is introducing new Google Drive tools that might assist in better management of official records.

On the other hand, increasingly, cloud providers are supporting content segregation, security, privacy, and data sovereignty requirements to attract regulated industries, and they are offering service-level agreements and HIPAA Business Associate Agreements (BAAs) designed to reduce risks.  In September, Google announced a HIPAA BAA for the following Google App services:  Gmail, Google Calendar, Google Drive and Google Apps Vault.  Alternatively, Accellion has extended its reach beyond data stored in its application by integrating with enterprise content management (ECM) systems, allowing users to connect right from their mobile devices to secured, backend, typically on-premise repositories, such as MS’ SharePoint.

 

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *