A view from the Center


Deloitte's Life Sciences & Health Care Blog

Offshore support for IT systems: How safe is your sensitive health data?

Health care organizations can learn from other industries and support IT systems using offshore resources to reduce costs, while maintaining security. An onshore-offshore Application Management Services (AMS) model can support and enhance IT applications while reducing costs.1 The value of offshore AMS is reflected not only in potential cost savings, but in also the ability to rapidly flex up or down in a high quality manner as business demand fluctuates.

In many industries, offshore outsourcing of IT systems is mainstream; most Fortune 1000 companies leverage an offshoring model. But health care organizations lag behind these other industries by not taking advantage of this opportunity. Some health care organizations are worried that offshoring their electronic medical records (EMRs) would expose them to higher risks around sensitive patient health and personal information (PHI/PII).

Health care organizations also may have a limited understanding of the difference between storing data at remote offshore locations and keeping data on client systems and accessing it from a remote offshore location. Established players often use the second model, which is typically much safer in protecting sensitive information.

Leveraging offshore services for data protection and security delivery has evolved significantly over time.  A leading approach is multi-tiered, using physical, administrative, and technological controls to provide a high degree of data assurance and IP protection.

Let’s take physical security first. Many organizations have established “clean rooms” in other parts of the world. A clean room is a physically segregated space, often dedicated to a single client. Access to clean rooms is closely controlled (a practitioner need a special badge to go into the room). Desktops inside the clean room do not support USB ports and include additional high levels of physical security, typically a guard at the door, video surveillance, monitoring access and detecting intrusion.

Administrative security measures help keep data safe. Administrative measures can include policy guidelines, checklists, security training, and ongoing risk assessment and audit of controls and incident response plans.

Finally, from a technology standpoint, the clean rooms and the equipment inside them are an extension of the health care organization’s data environment, with secure and direct connectivity to the organization’s network. They are completely isolated from any local access. Such high quality and secure virtual environments allow applications to data on the organization’s network.

The 2014 Breach Level Index shows about 76 percent of all data breaches occurred in the United States. In comparison, only 8 percent of the breaches originated from Asia, while Europe and the rest of the world accounted for the remaining 16 percent.

A healthy balance between the controls and collaboration is key so that project teams can still be productive while protecting sensitive data. Even though the security controls are needed, they can create some challenges for a geographically dispersed team to collaborate.  Commonly used collaboration tools can create some exposure to potential security incidents and therefore should be deployed carefully in order to help mitigate such exposure.

Business leaders, chief information officers (CIOs), and chief information security officers (CISOs) should approach AMS through strategic partnerships with high quality and reputed service providers, which helps reduce cost and protect the data. Confidential information management planning (CIMP) should be initiated early on in the engagement design process.  Some of the key elements of the planning process are:

  • Compliance with government regulations on viewing, storage and access – for example, Health Insurance Portability and Accountability Act (HIPAA) and Centers for Medicare and Medicaid Services (CMS) guidelines

And the identification of:

  • key data elements that individually or collectively constitute PHI/PII, intellectual property, or sensitive business information
  • the IT systems and access needed to deliver the services envisioned
  • who has permission to access the data and from what locations
  • a governance and administrative process to provide and revoke access
  • the connectivity solution, the technical, physical and administrative safeguards
  • clearly outlined roles and responsibilities
  • mechanisms for periodic review and audit
  • timing of periodic threat assessments, review of controls, and an incident response plan

The CISOs should review and approve the CIMP for compliance with clients’ information security standards and risk management.

Organizations also need to consider common sense measures like providing access to data only to the extent and duration needed and establishing necessary safeguards to prevent the copying or downloading of sensitive data. These can go a long way in preventing breaches.

A strategic approach to data security in an onshore-offshore AMS model, built on a practical and proven platform, can provide needed benefits while securing sensitive health care data.

1Based on internal data analysis

Author bio

Srinivas Sreepada is a Senior Manager in Deloitte’s Application Management Services (AMS) Practice. He focusses on the health care provider sector and advises clients on improving efficiency and reducing cost of operating their electronic health record (EHR), business intelligence and enterprise resource planning (ERP) applications. He manages the delivery of Epic AMS services for some of our large provider clients.


Ayan Chatterjee is a Principal in Deloitte where he leads the Application Management practice for the life sciences and health care industries. He is also on Deloitte’s national technology leadership team. Ayan has more than 23 years of experience in business strategy, process, and technology. He advises clients on ways to gain efficiencies and reduce costs in managing their IT applications using a globally distributed model. Ayan leads the largest managed service Epic engagement of its kind with a team of over 400 resources across the US and India for a large US health care provider.