When considering data integrity, risks and issues that must be addressed surrounding healthcare IT and data handling, the first thing everyone thinks of is HIPAA. While that will always be at the top of everyone’s list, there’s more to think about. Mobile adoption is a key consideration as well in these times – it is an inevitable direction as most healthcare providers are utilizing mobile devices in exam rooms, emergency rooms, ambulances, and for connection away from their offices. Many healthcare analysts believe the greatest barrier to mobile health adoption is the risk of a data breach, followed by meeting regulatory and compliance requirements for the privacy and security of patient data. While there are certainly concerns to be addressed, the necessity of mobile devices for delivering care in an ever-expanding healthcare eco-system is undeniable.
Pros and cons
Why am I mentioning all of this? Because when considering offshore development, these concerns don’t go away. They do, in fact, grow if for no other reason than for pure ignorance as the level of security to be maintained is still the same and the onus for data safety lies with the delivery organization, not the offshore development team. Still there are several areas you must think about when considering taking your development offshore:
- Any existence of a strong labor union presence in software service sector force may result in lower productivity
- Some areas have a scarcity of trained supply for resources (a concern because some areas have resource attrition rates as high as 25%)
- Lack of wide array of technology skill set
- Potential for a lower oral English language skillset
- Unstable governments and inadequate IP laws
- Time zone differences often in the 8-12 hour range
- Weak software development process framework
- Some areas have resource attrition rates as high as 25%
Of course, there are benefits. Hourly rates in the range of $10-$30 per hour for most teams will top the list. And language barriers can often be overcome through the use of translators or by limiting most communication to email and instant messenger. In reality, most of these companies, when managed effectively by strong leaders on the hiring organization side, can delivery excellent services.
As with any undertaking like this, there are always going to be risks and security concerns. Whether engaged in global software outsourcing or not, each company must assess the threats to their computer systems and the actual risks that they face. Threats include viruses, denial of service attacks, network intrusions, fraud, and sabotage by disgruntled employees. It is, of course, impossible to defend against all possible threats and therefore each company must analyze its actual risks. The investment in computer and network security must be commensurate with the actual risks.
Risk analysis and determining appropriate counter measures is necessary for all companies. However, the picture becomes much more complicated for a company that is using an offshore development facility. There are several complicating factors (as outlined by a document on Security Challenges of Offshore Development from the SANS Institute Reading Room):
- Loss of overall control. Outsourcing development often means a loss of some control and oversight. Security often loses the ability to regulate authentication users from the offshore team and opens direct channels into their system. It’s a risk/potential security concern that needs to be weighed.
- Network complexities. Keeping a handle on traffic and managing network configurations becomes an even greater challenge when an offshore development center is added. If the development center produces software for multiple clients and does not isolate the networks connected to each client’s system, configuration management can become a nearly impossible task.
- Clashing security policies. Not to be overlooked or minimized is the likely difference between yours and the offshore development facility’s approaches to security and security policies. Discrepancies and can create holes in the security system.
- Threats to intellectual property. Export compliance issues can become an issue when working with an offshore development center because your company’s information, customer data, financial data and trade secrets become available to employees who are not subject to the same US laws you are. Costly litigation can follow if there are security breaches.
- Legal concerns. Offshore development centers are subject to different laws – meaning protection of your sensitive data may be non-existent. Do proper research before embarking.
In the end, you have to decide what is going to be best for your organization, obviously. There are definitely some downside risks and considerations with going offshore – unless you have someone onsite 100% managing the offshore development team. But by doing that you cut seriously into the cost savings you’ll realize by going offshore, so I don’t recommend going that route. Plus, you’d have to find someone from your US group that wants to relocate to Vietnam. Not for me, but it may be for someone. A past colleague of mine has his own technical development staff there so he keeps a house there and goes there often.
What about our readers? If your organization is utilizing a few or an entire staff of offshore developers, how is it going? Successful? Problematic? What ongoing or frequent issues are you seeing? How are they being addressed? Please share your thoughts and experiences.