Rick Allen, service line director for IS operations at Gwinnett Health System in Lawrenceville, Ga., manages just about every storage medium under the sun, from Fibre Channel networks to optical disk to tape libraries. But pressured by HIPAA regulations and seeking cost savings for his company, he's working to consolidate and automate his records management process.
"I'm trying to consolidate all that because keeping up with it is making me pull my hair out," says Allen. "[Consolidation will] allow me to effectively manage storage allocations and data retention, and minimize the amount of data stored."
Regulatory compliance issues and business needs are challenging IT managers to reinvent their storage strategies and driving a move toward information life-cycle management (ILM), a nascent concept for managing data in a policy-driven, automated fashion from cradle to grave. ILM is an outgrowth of an older and more well-known concept, hierarchical storage management, the automated management of data, from file backup to archiving.
The goal of ILM is to put certain types of data on appropriate types of storage devices and media depending on how long companies must keep it or how soon they might need to retrieve it. Another key component is automated deletion of data when regulators no longer require it be saved.
Today, however, ILM is still in its infancy—it's a collection of disparate management applications and hardware that combines policy-based storage management with online storage, nearline storage and archive tape storage. In a post-Enron world, companies are using these bits of technology to make sure that data is stored in compliance with new laws and purged at the right times, and that records-retention policies are enforced.
The problem, as Gartner Inc. analyst Ray Paquet defines it, is that "today we have storage, period. Information is put on storage without any concept of its value." On average, Paquet says, 70% of all data on disk is untouched after 90 days. So when you consider how expensive high-end Fibre Channel storage devices are—anywhere from 9 to 15 cents per megabyte—it makes sense for storage administrators to migrate data to less-expensive media as fast as possible. Serial Advanced Technology Attachment (ATA) drives, for example, are one-tenth the cost of Fibre Channel drives, Paquet says.
"That's big dollars. And the data is still on disk, so it's immediately accessible," he says.
Here's a look at how four companies are using storage technology to meet regulatory requirements, while keeping costs down.
A Call to Consolidate
At Gwinnett Health System, storage administrators are dealing with the requirements of the Health Insurance Portability and Accountability Act, which mandates that radiology images and other records be saved for set periods of time—in some cases, for the life of the patient. Physicians must also be able to easily and quickly access those records, which means they must remain online for years.
To meet those demands, Gwinnett uses a mix of 130 servers (Dells and Hewlett-Packards) backed up by a storage-area network and direct-attached storage. Allen says his archival systems include optical disk and three tape library formats: Mammoth 2, linear tape open and digital linear tape.
The problem is, Gwinnett's storage architecture, like that of many enterprises, is made up of islands of capacity without any policy-driven system for migrating data between systems based on the importance of each document and how long it should remain on one form of media.
"We're converting data off the WORM drives and onto the SAN," Allen says. "HIPAA says we have to keep files for a minimum of seven years. Some of the stuff we just can't ever get rid of.
"Patient safety is a big push. We've got to be able to provide our physicians with all the information they need to make good decisions. I've got to have some way to manage [that information]," he adds.
A Drive to Save Money
For Bob Massengill, manager of technical services at Wake Forest University Baptist Medical Center in Winston-Salem, N.C., ILM is less about regulations and more about cost. The Medical Center has 20 subsidiary or affiliate hospitals and runs 87 satellite clinics throughout the region with about 11,000 employees.
"Everybody's scrutinizing everything you spend now, so you'd better make sure everything you spend is invested at the right level," Massengill says.
Two years ago, Massengill set up a SAN powered by a refrigerator-size EMC Corp. Symmetrix storage array. The SAN worked well, says Massengill, but after about a year, he found he couldn't justify saving everything from e-mail to old X-rays on disk that cost him up to 15 cents per megabyte. So earlier this year, to achieve lower total cost of ownership, Massengill installed a storage array based on cheaper ATA disks, also from EMC, and upgraded his Storage Technology Corp. enterprise-class PowderHorn tape library to include a virtual tape array or a disk array that mimics tape for faster backup.
The medical center now has 45TB of capacity, but Massengill says he still performs data migration without the use of policy-based tools. "We're using Legato's software for backup. It's not totally manual, but it's not totally policy-driven either. We have scripts that say when to dump data to tape."
Massengill says he now needs tools to help him classify data to decide whether and how long it should be on high-cost primary storage disk, nearline storage or a tape archival system.
"I'm struggling with that. I guess the big thing that is missing is nobody has a clear-cut, true ILM product on the market today. I need to determine what kind of data it is and how often it's been used," he says.
For example, Massengill says he's working on setting up automated policies for e-mail storage. That will free up primary disk storage space by migrating less important data onto the correct medium, he says.
Massengill says it will take him about 12 to 18 months to complete data analysis and policy development.
Lock It and Back It Up
More than a year after the Sarbanes-Oxley Act for corporate accountability was passed, the legal and IT departments at Chicago-based Grant Thornton LLP are still hammering out just what data needs to be stored where and for how long.
Dave Johnson, director of IT at the global accounting and auditing firm, says he has been meeting twice a month with the firm's compliance department to work out storage requirements. The group evaluates data by line of business and type of client in order to best address the legal guidelines, he says.
Johnson is keenly aware that the Sarbanes-Oxley Act is requiring public accounting firms to retain documents from publicly traded companies for seven years, two years longer than previously required.
For now, Grant Thornton uses services from Connected Corp. in Framingham, Mass., to back up all desktop applications and meet regulatory requirements. Each time a user logs in, any file updates are automatically transmitted via virtual private network (VPN) to Connected, which "ensures we don't have those files any more and the legal department is the only one that can get them," Johnson says.
Find the Right Technology
Charles Bennett, vice president and director of compliance at Hornor, Townsend & Kent Inc., the brokerage division of Penn Mutual Life Insurance Co. in Horsham, Pa., sits on a regulatory compliance committee at his firm that includes IT management. The group is "constantly looking for ways to make the firm's records retention operation more automated and efficient and at a better price point," he says.
"Clearly, one of the things I end up doing is giving [IT] people a sense of the importance of the ability to retrieve data and how fast we need to do that," says Bennett. "The [U.S. Securities and Exchange Commission's Rule 17a-4] requires us to be able to retrieve any document within 24 hours."
The firm's compliance committee evaluates whether data being stored on an IBM enterprise-class SAN should eventually be written off to tape or optical disk, which is one option for meeting the SEC's requirement that all electronic documents be stored on WORM technology.
Bennett says the current process used to determine whether an electronic document is regulated by the SEC is manual and arduous. Once a regulated document is identified, it must be off-loaded from the SAN to optical disk and then shipped to Boston-based Iron Mountain Inc. for off-site storage. The problem comes in retrieving that data, which can take days, Bennett says.
"We struggle over the most appropriate technology solutions for both the business' need and risk," he says. "If you're addressing a regulatory request for documents, you sure don't want to give someone a date range and have them paw through all your communications."
Bennett says he expects to purchase Iron Mountain's e-mail surveillance service, which will allow his company to transfer all e-mails to an off-site storage facility via a VPN and then perform oversight via a Web browser equipped with content management software. "My staff today spends 15% to 20% of their time reviewing e-mails," he says. "We expect with this supervisory module that we'll cut down to 5%."
But, as Gartner's Paquet points out, e-mail is only one piece to the document-retention equation. "I think vendors will start to glue the systems together in the next year to 18 months," he says. "The question is, When will it be completed? That's at least three years out, if not five years out."
In the meantime, users will continue to cobble together their own solutions, piece by piece.
 |
|
|
The New Rules of Storage
Stories in this report:
- Editor's Note: The New Rules of Storage
- The Story So Far: The History of RAID
- Regulated Storage
- The Slow Move to Information Life-cycle Management
- IP Storage: Keeping a Safe Distance May Make Sense for Data Recovery
- Unpleasant Success
- iSCSI's early adopters
- The Almanac: Storage Briefs
- Serial vs. Parallel Storage
- Storage Careers: Thinking Outside the Box
- The Next Chapter: Predictions About Storage
- Storage Regulations Quiz
- Negotiating a storage deal? Improve the odds of success with these tips
- Data destruction: What they can't find can get you 20 years
- Readers share their stories
