Top 5 risks of keeping your lab’s data on-premise
Health care institutions are often not fully aware of the risks associated with the management of IT resources on-premise. In this article we will focus on issues related to processing of genomic data from next-generation sequencing.
When discussing the risks associated with new technologies it often becomes apparent that we are not fully aware of the risks associated with conventional technologies or the status quo. Cloud technologies are often associated with a higher risk of exposing personal data, for example, but there are probably just as many instances where large numbers of patient records were exposed through software that was managed on-premise.
This article describes the risks that are linked to the operation and maintenance of IT solutions on-premise (as opposed to in the cloud) like
- Scalability
- Compliance and security
- Rollout and maintenance nightmares
- Disaster recovery
- Expertise, service level and support
Update on 18 March 2020: I would never have thought about such a scenario when I originally wrote this article. We are facing a period of time (indefinite at this moment) where employees are urged not to come to their workplace. This is why I added the following risk:
Accessibility and resilience
In the unlikely event of a pandemic, employees may not be allowed to come to the workplace or they should be encouraged to work off-site, from home. In these instances, IT resources must suddenly be accessible from the outside and still be secure. Access must also be scalable, since employees will be working at individual locations.
This may put extensive strain on on-premise solutions or it may even be impossible due to license restrictions. Native cloud solutions do not have this bottleneck.
Scalability
Scalability is often not seen as a risk. In the fast-changing world of genetic diagnostics, however, the inability to support a growing test volume or ever increasing complexity of assays may put your business at risk.
In genetic diagnostics, achieving scalability is particularly difficult, because NGS data is generated in batches and batch sizes can range from dozens to hundreds of samples. These batches must then be processed as quickly as possible.
In genetic testing labs, on-premise computer hardware is either extremely powerful and expensive and highly under-utilized or well-utilized and a bottle-neck for the entire process.
Liquidity: CAPEX vs. OPEX
When deciding for an on-premise software solution there is the risk of not having sufficient liquidity to create the necessary IT infrastructure. What would the delay of the investment mean? Should resources be taken away from other mission critical initiatives?
Again, the fast-changing world of genetic diagnostics will probably punish delays. Cloud-based solutions typically do not require up-front payments. Its costs are considered operating expenses (OPEX) rather than investments (CAPEX).
Is disk space cheap?
Long-term storage of clinical data must not just consist of saving files on any storage medium e. g. a USB hard drive. It is important to determine the potential rate of data loss. The risk assessment of the organization should include an assessment how much data loss is acceptable over a given period of time. Do not be mistaken: every little improvement in the resiliance of an on-premise storage solution increases the cost of data storage significantly.
In clinical diagnostics, retention of raw data may be required for a long period of time — the storage costs for a sample should be calculated for the entire life time of the data set and considered in all cost calculations from the beginning.
By the way: the popular diagrams from NHGRI depicting the steep decline in sequencing costs do not consider any downstream analysis or storage of the raw sequencing data.
Compliance and security
A long list of regulations, standards and best practices have to be applied to ensure that IT is operated safely. Entertaining an entire department for compliance of IT processes is a luxury for non-IT businesses that very few can afford.
The complexity of the task grows with the number of applications that are maintained on-premise. Managing a multi-purpose on-premise infrastructure is therefore much more difficult and expensive than managing single-purpose infrastructures in the cloud.
Just in terms of compliance, your organization would need to consider the implications from compliance with standards and regulations like ISO 27001, HIPPA, or the GDPR (and a few more). This typically means to involve additional external (legal) experts, which further increases your expenses.
As IT security is never ‘finished’ and includes many tasks that need to be done iteratively, such as checking for newly found vulnerabilities and bugs even in your software’s dependencies, and then assessing their potential impact on your systems and infrastructure.
Most on-premise software is not air-gapped, i.e. still connected to the internet in some form. This means it is still vulnerable to various potential exploits: your own internal users are now part of the ‘attack surface’ that your IT staff needs to consider, as they may become unwitting bystanders with malware like Emotet or ransomware like WannaCry.
Rollout, maintenance and other nightmares
After purchasing the license for on-premise software, investing in suitable hardware and in the necessary personnel, it should be expected that implementation, configuration and maintenance of these on-premise software solutions require significant resources.
The time required to implement an on-premise software solution is often underestimated. It is generally recommended to maintain separate stages of the IT environment for development, testing and production which typically multiplies the costs of hardware and licenses.
At least a significant part of the effort related to the initial implementation of the on-premise software must be repeated with every major update — it never ends.
Disaster Recovery
Nobody likes to imagine a disaster that could halt an entire organization. In some instances it may not take that much, though. How much would it cost to create backups that are truly stored at independent locations? And how fast would recovery be if those backups were actually required in case of a disaster?
Swift and inexpensive backup and recovery is probably the most prominent example when comparing on-premise to cloud solutions.
Expertise, service level and support
Expert personnel is hard to find and much sought after. Software licenses and hardware can be bought with money, such personnel probably not. If a lab has access to these scarce resources, it should probably dedicate them to unique problems of its business and not to creating solutions that could just as well be bought off the shelf.
