In recent years, the demand for Software-as-a-Service (SaaS) solutions (such as Google Workspace and Microsoft Office 365) has exploded, and there’s no sign of it slowing down any time soon. According to a recent study by McKinsey, the global SaaS market is currently worth about $3trillion; a figure that could surge to $10trillion by 2030.
In practical terms, this means around 85% of the software used by organisations will be SaaS-based within just a few years.
Although the healthcare sector was initially hesitant to adopt SaaS solutions, largely due to perceived data security risks, this is slowly but surely starting to change.
In fact, it is now commonplace to find hospitals using the technology for non-clinical procedures, such as billing and supply chain management, as well as for essential patient data management – in the form of cloud-based electronic health records (EHRs).
However, when it comes to data protection, one of the common limitations of the SaaS model means many healthcare organisations are indeed putting themselves at risk of significant data loss, often without even realising it.
This is because they are expecting their SaaS providers to take full responsibility for all their data protection needs, whereas, in reality, most major providers operate on a shared responsibility basis, which usually only provides basic data protection functionality.
One of the common limitations of the SaaS model means many healthcare organisations are indeed putting themselves at risk of significant data loss, often without even realising it
While these capabilities might be enough for certain situations, they are not usually comprehensive, which means organisations often find out the hard way that the sensitive patient data they thought was safeguarded and recoverable isn’t as secure as they thought.
The fine line between data protection and user convenience
This disconnect is perhaps understandable, given a core foundation of the SaaS model is that providers are there to take responsibility for the technology away from their customers and provide it as a service.
But adopting cloud-based services doesn’t automatically delegate responsibility for data protection in the way many customers think.
Taking a closer look at the parameters of the shared responsibility model, therefore, is crucial.
On the one hand, signing up with a SaaS provider gives organisations in the healthcare industry the ability to protect a range of different key technology priorities. This can be everything from the operating system, hardware and network infrastructure and virtualisation to power management, physical security, and a mixture of other points, each of which should be broken down within a Service Level Agreement (SLA).
Any issues caused by things like human errors, viruses, malware, and malicious insider threats, don’t fall within the provider’s security remit unless specifically agreed upfront in the SLA
However, in the vast majority of situations, protecting data and users remains the sole responsibility of the healthcare organisation themselves.
What this means is that any issues caused by things like human errors, viruses, malware, and malicious insider threats, don’t fall within the provider’s security remit unless specifically agreed upfront in the SLA.
From a data protection standpoint, there’s a very-real chance of catastrophic data loss in the event of a disaster recovery situation, unless additional measures are in place to mitigate this.
Vendor-agnostic secure back-up solutions offer peace of mind
Healthcare organisations – just like other businesses – simply cannot put themselves at risk in this way. So how can they get more certainty about the security of their sensitive data when exploring SaaS solutions?
A key factor to consider with any SaaS data protection strategy is the complexity of the task at hand.
For example, in 2022, organisations worldwide were using an average of 130 different SaaS applications, according to Statista.
Inevitably, this means data gets fragmented across a diverse set of SaaS providers, each of whom will store it on either their own data centre infrastructure or as a cloud-based tenant using different vendors and technology stacks.
From a data protection standpoint, there’s a very-real chance of catastrophic data loss in the event of a disaster recovery situation, unless additional measures are in place to mitigate this
In this context, the core objective should be to create an isolated and tamper-proof copy of data and data objects contained in each SaaS application and workload.
Instead of using multiple different SaaS back-up solutions, each with its own architecture and user interfaces, protecting data across a multitude of disparate SaaS services is more effectively achieved by implementing a vendor-agnostic back-up solution.
By removing the layers of administration complexity, for instance, users benefit from a streamlined approach to data protection that gives a single view of all the data sets residing across their SaaS portfolio.
Ideally, this will deliver fully-automated back-up and recovery capabilities as well, particularly for critical apps.
In doing so, users can combine scalable and secure protection with granular data recovery to protect application data against today’s ever-increasing risks and vulnerabilities.
These can range from accidental data deletions to ransomware attacks – which were found to target the healthcare industry more than any other critical infrastructure in 2022.
Instead of using multiple different SaaS back-up solutions, each with its own architecture and user interfaces, protecting data across a multitude of disparate SaaS services is more effectively achieved by implementing a vendor-agnostic back-up solution
When a data protection issue arises, data can be restored to the same SaaS vendor or moved elsewhere, while organisations can also create multiple immutable copies of back-ups that are stored in an independent cloud that’s dedicated to data protection and not dependent on large hyperscalers.
With Saas adoption continuing to accelerate at an unprecedented rate throughout the healthcare sector, data protection strategies need to evolve to meet the new challenges being created.
And healthcare organisations that focus on building a vendor-agnostic SaaS data protection strategy can enjoy the benefits SaaS has to offer with the confidence that their data remains safe and recoverable at all times.
Despite entering into agreements with suppliers, health trusts often do not realise that they are responsible for protecting the data they hold
