Thinking Outside the Box

Regulatory compliance issues are changing the jobs of storage professionals.

The commonwealth of Massachusetts requires its hospitals to store patients' medical records for 30 years. That's no small feat for CareGroup Health Systems, a network of six hospitals that's associated with Harvard Medical School in Boston. To meet that requirement, it currently stores 70TB of patient medical data.

But CIO John Halamka expects to double storage capacity to 140TB by 2004 to accommodate what he calculates will be needed to meet the storage and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), as well as the financial data storage requirements established by the Sarbanes-Oxley Act.

To handle the onslaught of data, Halamka in March hired a storage manager, a newly created position responsible for strategic planning for CareGroup's skyrocketing storage needs, including three classes of storage retrieval services.

"The only way that you can deal with the overwhelming growth of the storage requirements is to have a very thoughtful strategic plan for how to build centralized storage," Halamka says.

Many CIOs agree. In the face of mind-numbing storage requirements brought on by new legislation, some IT departments are realigning and retraining employees to handle risk management, adhere to business rules and ensure privacy.

Sixty-five percent of the more than 100 companies polled by Meta Group Inc. in August 2003 claim to be actively involved in projects to meet Sarbanes-Oxley compliance requirements. Another 25% of the respondents said they're planning to initiate such projects in the near term. And nearly all health-related fields are feeling the pinch of HIPAA storage requirements.

But despite the work ahead for IT departments, the size of IT staffs and the cost of storage, budgets remain flat. As a result, hardware at the end of its life cycle is being replaced with higher-density storage and smarter storage technology that requires less maintenance.

Restructuring the IT Department

Blue Cross and Blue Shield of Minnesota in Egan was ahead of the game when HIPAA and Sarbanes-Oxley compliance became a top priority. Already offering its customers secure Internet access to claims information, the $5 billion health insurance provider was well on its way to compliance with HIPAA, which mandates that records be available to customers and that confidentiality be protected.

But complexities in the federal law's requirements, such as one mandating that sensitive medical records of girls over the age of 12 be kept confidential from their parents, prompted CIO John Ounjian to undertake a major restructuring of the IT department.

"I have to bring privacy and security to individual household members. So within storage management, privacy and regulation make it quite complex," he says.

Nearly 150 IT staffers were retrained or realigned into new positions. "We needed more engineering types and more robust risk management-type people that understood security and controls," Ounjian says.

A handful of new IT employees were brought in, but the staff size remained the same because of attrition, he adds. IT costs also remained flat through the transition.

Also, Ounjian appointed three senior-level advisers who report directly to him. One, a vice president in charge of transaction engines, makes sure business rules for compliance are being properly applied, documented and executed. "She needs to know storage management, where the data is coming from and how the output is being managed," Ounjian says.

A second adviser, also a vice president, is in charge of technology and ensures that information flows quickly and securely. The third, a director, makes sure security, privacy, continuity, risk controls and passwords are all in play when allowing access to data. So far, Ounjian says, the transition has been successful, because employees have been willing to change roles.

What's Next?

Changing roles could become the norm for storage professionals. As storage systems become more intelligent and in some cases self-managing and self-healing, storage administrators will move away from managing the systems and toward managing and protecting information, according to Peter Gerr, an analyst at Enterprise Storage Group Inc. in Milford, Mass.

"A lot of people I speak with are looking at [storage management] in terms of content management, policy and procedure, rather than hands-on, highly technical storage administration," Gerr explains.

But in the short term, huge challenges remain with storage capacity planning, provisioning and backup. "Maintaining and deepening the skill sets they have today is important," Gerr says.

Storage professionals should also build a foundation in network storage as the networking market continues to converge with storage. Of course, "an awareness of the business issues that are driving the organization is important, too," Gerr says.

Collett is a freelance writer in Sterling, Va. Contact her at

Special Report

The New Rules of Storage

Stories in this report:



Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon