Four questions you should ask your Software-as-a-Service vendor

In both the technology and the healthcare worlds, change is the challenge and also the goal. As consumers, we all want and expect healthcare and technology to be cutting-edge, flexible, adaptive, and relevant. We want them to perform consistently to meet our needs today and responsively anticipate our needs tomorrow. And we need to know that our privacy and safety are their highest priorities.


A good cloud vendor seeks to always innovate in this direction for its customers and their users. A great one delivers levels of performance, reliability and security that embody more than just rapid and flexible responsiveness to change, but also a visionary sense of how to responsibly innovate and grow securely.


Is your vendor meeting that challenge and that goal? Here are four questions you can ask to find out.


How do you ensure your software-as-service platform’s performance?

According to the Riverbed Global Application Performance Survey 2015, 98 percent of businesses believe app performance is critical to their success, but 89 percent also say that poorly performing apps negatively impact their work. To close this gap for their customers, cloud vendors must be able to respond quickly – and proactively – to performance issues. That requires knowing what the issues are before the user experiences them, and before they begin to rob companies of their ability to remain competitive and profitable. To do that, they must understand their system’s historical performance at the deepest and most infinitesimal levels.


When engineers study their system’s performance regularly, comparing yesterday’s metrics to today’s, and monitoring each small interaction at the atomic level, they know precisely and specifically where the strengths and weaknesses lie. Historical performance monitoring allows your cloud vendor’s engineering team to enter the operating room with tweezers rather than a hammer – they don’t guess where the problems are, they know, they prioritize accordingly, and they use the right tools for the job. If this is your vendor, then that’s great news. They are proactive and creating opportunities to resolve issues before the user experiences them. They have the tools they need to anticipate, improve and innovate. And they’ve given themselves a certain measure of creative space for innovation.


How detailed is the root cause analysis of your last outage event?

No system is perfect. Outages can happen to the best, most proactive of us. But reliability plays a key role in the cost effectiveness of your software-as-a-service system, so a mature cloud vendor should be ready and willing to provide a detailed root cause analysis of the last outage event. And they should also be able to supply a third party’s accounting of historical reliability using a different methodology. This helps a cloud vendor assure that nothing is overlooked in the process.


Your cloud vendor should also happily own up to what’s working well and what’s not working well – or not working at all – for two reasons: 1) Detailed, granular and transparent historical performance monitoring is that key element in fully and deeply understanding the root cause of an event. It’s what allows us to respond quickly and appropriately (again, with tweezers rather than a hammer). 2) It’s usually the nature of engineers to want to take apart the puzzle and put it back together – only better. We like knowing where our vulnerabilities lie because they’re also opportunities for improvement and sources of inspiration. That quality is one of the best value propositions we offer to our customers.


What level of investment do you make in threat prevention?

Notice that this question isn’t about reducing your risk of security threats. It’s about preventing threats – knowing what’s out there, where the next threat might be coming from, where the vendor’s existing and potential vulnerabilities lie, and having a plan to address them immediately. A disaster plan is an obvious must, but a security roadmap created and maintained monthly (at a minimum) at the executive level is essential. It focuses efforts toward threat prevention at each level of the company from the leadership team down, which creates a corporate culture of proactivity. This means that there is an expectation that each employee should own and execute a level of threat prevention each day. You need to know, in no uncertain terms, that your cloud vendor provides this level of vigilance.


What are your change control processes?

If any of these is a million-dollar question, it’s this one. Innovation is the engine that drives business in the information age, but successful innovation must be rapid, responsive and responsible. If we sacrifice performance, reliability and security by rushing the innovation cycle, we risk destroying all that we’ve built. There’s no question that every code change holds the hope that our innovation will make the world better. But each code change also opens new doors to new threats. Understanding, engineering and planning according to that fact is an important differentiator when it comes to cloud vendors. It’s a huge challenge in an agile environment, but it can be done. And it’s a critical element in protecting your customers and your business.

Ask your vendor if their standard engineering practices require that each and every change in code is:


  1. Thoroughly justified
  2. Carefully documented at each step of the process
  3. Audited from first question all the way through release, and
  4. Subject to a rigorous, multi-layered approval chain


And are these processes and controls audited by a SOC 2 control before they even arrive at the controlled release phase? These should be at the heart of any great software-as-a-service vendor’s engineering practice and philosophy.


In both healthcare and technology, every innovation is potentially the next revolution, but it can also open us all up to new threats. Rapid and flexible response to change is a great operating philosophy that makes great things possible, but it isn’t enough. Innovation should be both responsive and responsible. And the process must always include diligently followed measures to ensure you never lose anything you’ve gained. A great cloud vendor will likely be thrilled to talk your leg off when you ask these questions. If yours hesitates, or if the answers don’t seem complete enough, then talk to as many of their other customers to find out how well things are working for them. If you’re not satisfied, we’ll be glad to welcome you to Healthx.



Win Norton is one of the founders of Healthx. He is a leading technical innovator of cloud-based solutions that improve operational efficiency and maximize IT resources for healthcare payers.