What's in Store for 2004 - Compliance, storage, and beyond

Industry trends, user priorities, what you really need to know

Ok, so it may be a bit late for rolling out the "analyst's predictions for 2004," so we're not going to do that. You see, anyone can prognosticate on what might happen this coming year and if you write in a general enough tone and keep it brief, you've got a good chance of still sounding credible (even in 12 months time). We're going to go one better.

Give us a few minutes of your time, and we'll tell you what IT, business professionals, and technology vendors need to know with regard to the biggest compliance-related news in 2004. Perhaps more importantly, we'll tell you why these issues will be among the most talked about in boardrooms and IT departments in the coming year and beyond.

1. Vendor beware! Compliance backlash
While ESG has done extensive research and written much on compliance, we have also advised our vendor and IT clients not to get "addicted to compliance" from a marketing and messaging standpoint. Throughout 2004 we will continue to advise our clients that it's crucial to be well versed in the letter of the law, the nuances of each regulation, and the business processes affected by regulatory issues. 2004 is the year the fortunes of technology vendors rise and fall based less on their compliance marketing messages, and more on the quality of their products, the depth of their experience, and the bottom-line results their solutions deliver.

Technology vendor guidance:
Technology vendors must communicate long-term visions of enterprise-wide intelligent information and storage management while being able to deliver short-term results that help organizations better manage compliance and corporate governance. Some storage technology, content management, and enterprise message archiving vendors rode the FUD (fear, uncertainty, and doubt) wave of compliance in 2003, but won't be so lucky in 2004 without being able to demonstrate knowledge of the regulations and their customer's business processes.

IT and business professional guidance:
There are very real risks and penalties associated with being found in violation of regulatory, federal, or corporate mandates. Some challenges, such as implementing an enterprise message archiving solution for your email and instant message (IM) traffic, are cost-effective and quick to justify. If you haven't already, form a compliance or corporate governance advisory board that draws its members from across IT, C-level executives, and lines-of-business. First identify the regulations that affect the business and then track your organization's preparedness (or lack of) towards meeting them. Challenge your vendors to deliver both near-term results-such as containing the onslaught of email or allowing for quick search and retrieval of messages-while still providing a flexible solution that will help address the larger problem of managing Petabytes (PB) of data in the near future.

2. HIPAA Security Rule has some positive impact on IT spending (finally!)
It's easy to claim that 2004 is going to be the year the HIPAA Security Rule causes healthcare providers, healthcare plans, and insurance companies to start spending feverishly as if it were "Y2K" all over again. The more difficult questions to answer are why and how these organizations-which are notoriously slow to invest in technology-will prepare for what's sure to be a painful security checkup.

The HIPAA Security Rule defines a complete spectrum of administrative, physical, and technical safeguards that must be in place to protect the availability, integrity, and most of all, the confidentiality of patient information. All covered healthcare entities, except for small health plans, that electronically create, transmit, and store health information must comply with the Security Rule by April 21, 2005. The Security Rule will have far more impact on healthcare organizations than the other two parts of HIPAA have had, and will expose the dire state that this country's healthcare IT systems are in.

As ESG reported in our research report, "Compliance: the effect on information management and the storage industry", the Security Rule addresses many areas that storage technology vendors can play a part in including:

  • Administrative safeguards - contingency planning, disaster recovery planning and testing
  • Physical safeguards - storage device and storage media controls
  • Technical safeguards - access controls, backup / recovery plan, data integrity checks

Stay tuned throughout 2004 for more detailed ESG analyses and reporting on the HIPAA Security Rule and how it will affect the technology vendor and user communities. Ultimately, ESG believes that the HIPAA Security Rule has the power to begin a transformation of the healthcare industry and its use of information technology.

3. Sarbanes-Oxley hype begins to deliver
Throughout 2003 storage technology vendors focused mainly on the FUD surrounding Sarbanes-Oxley, or "SOX" as it's affectionately known among the compliance crowd. Vendors that opt for this same strategy in 2004 will be wasting theirs and their clients' time.

Sarbanes-Oxley addresses the procedures and internal controls for retaining and protecting corporate financial and accounting records, many of which are created and stored in digital form. That said, ESG believes SOX has less impact on storage capacities and more effect on how financial records, and ultimately all forms of corporate records, are managed or mismanaged, throughout their lifecycles. It would take approximately 5,000 pages of financial records to equal the amount of storage capacity consumed by an average-sized digital MRI. The real impact of SOX is on financial reporting applications and other fiscally-related data sets, which don't consume a ton of storage. Content management and storage management software vendors will find some business by exploiting SOX as well, but primarily as a way to address the tactical needs of enabling proper filing and retention of financial records. Specifically, vendors that offer automated data migration (ADM) solutions, which enable policy-based migration of specific data sets or records, should invest time and energy to learn more about SOX.

Sure SOX is a pain, and has given many storage vendors a reason to make sales calls, but in the end, SOX is a means to an end. The real impact of SOX is that it's going to (hopefully) make investors more comfortable with the honesty of their favorite company's executive board, which (again, hopefully) will reinvigorate investment in publicly-traded stocks. We also believe that SOX is simply the first and most publicized in a series of future regulations that will place federal mandates and controls on almost every piece of corporate information. Maybe the Fed should invest our social security pension fund in disk drive manufacturers and content management stocks¿ (Just a little storage humor)

4. Elliot Spitzer for president in 2008!
Well, that may be a bit far-fetched. How about "Governor Spitzer" for starters? Wall Street needs a hero after Dick "Let's Make a Deal" Grasso dragged the still tarnished reputation of this nation's financial markets back into the pit of despair they were just starting to emerge from. What does this have to do with compliance, you ask?

See #3 above but know this: The high-profile cases of the past two years, including Frank Quattrone, Martha Stewart/IMCLONE, Enron, and WorldCom are just the beginning. Elliot Spitzer, the current attorney general of New York, has shaken up the broker-dealer segment of the financial services industry, and now has his sights set on mutual funds, pension funds, hedge funds, and any other dark corner of the financial industry that someone could hide a pile of money or an incriminating email in.

Using SOX and SEC Rule 17a-3 as his calling card, Spitzer will continue his assault on the lack of accountability, weak security controls, and poor records management practices that seem to permeate every office on Wall Street. While this is healthy for the U.S. financial markets, it will take several years and millions of dollars of investment in new or updated IT systems, storage, and content management tools before Sheriff Spitzer hangs up his spurs.

5. Email may be tactical, but damn it keeps me up at night!
Contrary to what some other analysts have predicted, we see no reason that 2004 should be anything but another breakout year for email, instant message, and other forms of enterprise message archiving tools. Email archving vendors may be reaching saturation in the financial services markets that include broker-dealers, and other organizations that must comply with SEC Rule 17a-3&4. That said, how about healthcare, insurance, and the thousands of small financial services organizations outside the hallowed halls of Wall Street that use email and IM for their daily business? How about the record of the PayPal transaction you just completed to pay for that new camcorder you won on eBay?

Or how about the fact that email is the most critical application of over 200 leading IT and business professionals according to a recent ESG survey? Anyone who thinks that 2003 was the end of the bull market for enterprise message management and archiving solutions isn't looking beyond his own nose. U.C. Berkeley's 2003 update to their 1999 research report, "How Much Information is there in the World?" claimed that 400PB of new storage capacity would be required in the past year simply to store the world's new emails. Are you feeling protected? Just wait until Microsoft's Windows Collaboration Server comes out (or just keep reading)!

6. You think email is a pain to manage? Wait until your users stop chatting and start collaborating.
If IT and business professionals lost sleep during 2003 worrying about solving their email or IM archiving challenges, now is the time to rest up. Even while Microsoft's collaboration strategy continues to evolve, this much is certain: Just as email, and more recently IM, has changed the way corporate workers communicate, near-future technologies will change the way workers actually work.

Microsoft and other vendors aim to revolutionize interpersonal productivity in much the same way Microsoft has transformed personal productivity with its Microsoft Office suite and Exchange / Outlook combination. Over the next few years, individual technologies like Windows SharePoint, Office LiveMeeting, and BizTalk Server will be unified and refined into a comprehensive suite. Longhorn, the codename for Microsoft's next Windows client, is expected to include many collaborative features as well as real-time communication tools. Obviously, the next version of Microsoft Office will be tightly integrated with Longhorn and will be the U.I. through which much of corporate America leaves IM and emailing behind, and begins to collaborate on projects.

Reflect, for a moment, on the 400PB of email that Berkeley claims was created in the past 12 months. Consider too, that solutions to index and archive millions of messages every day were among the hottest technologies in the software industry. Now consider a near future where you have seamless access to not only your own contact manager and scheduling, but that of your colleagues as well-and in real-time, regardless of their location. Consider too, if every revision, change, edit, and decision made on a project was captured, time-stamped, tracked, indexed, and stored as a unique object for future reference. Let's not forget all the documents, presentations, spreadsheets and engineering drawings that go along with your project. It will take a few years for all this collaboration to trickle down to the storage administrator responsible for keeping today's Exchange Server up and running. Just be grateful that you're not the person responsible for taking down the systems or storage supporting your company's Microsoft Content Management Server 2006 infrastructure. And you think 400PB or a million emails is a pain to manage! Wherever there is a record of the business, or a decision is made via email or a collaborative tool, there will be a need to retain more of these records for regulatory compliance or perhaps just to meet a new corporate mandate. More people = more information created = more information stored = more information retained. It's time to add the term "Exabyte" (the storage term, not the company) to your vocabulary.

7. Everyone, say it with me - "HIPAA's the tip of the spear"
Vendors and users alike love to talk about how information technology has the power to save the business money. Consider for a minute what it would be like if we empowered our healthcare providers, doctors, and surgeons with the ability to actually use technology to save lives.
That's the mission of visionary caregivers like Dr. John Halamka, CIO of CareGroup, a Boston-based company that owns Beth Israel Deaconess Medical Center and four other Massachusetts hosptials. According to healthcare industry research, 80 percent of hospitals and 95 percent of doctor's offices use the same "paper, folders, and film" method of storing patient medical records implemented after World War II. Next time you go to your local town doctor, look around. Does it look like the last time the carpets and wallpaper were updated was 1960? Chances are their information systems are from the same era.

ESG believes that some sensitive and private patient health information inevitably gets loose, and unencrypted on public networks. Unfortunately, much like in the financial services industry, it may take a headline-making healthcare tragedy on the scale of Enron to cause change in this industry where doctors are notoriously suspicious of technology.

ESG believes the real story is that HIPAA will shine a spotlight on the antiquated IT systems that form the backbone of this country's healthcare system. Since 2001, CareWeb, the controversial online database of some nine million patient records spearheaded by Dr. Halamka, has resulted in a 50% reduction in the rate of medical errors, e.g., giving a patient the wrong medication. That kind of "savings" is truly remarkable, and realistically possible, using the right dose of technology.

The prognosis for 2004 and beyond? Spending on IT in the healthcare industry is going to explode, and HIPAA is going to light the fuse. It all begins this year; just watch. (And continue to take your vitamins and get some exercise on a regular basis)

The Bottom Line
For some industries, compliance is a dirty word. For others it's a compelling event that causes great pain, huge monetary fines, and for an unlucky and unlawful few, jail. When you peel back the covers and look beyond the headlines, what you see in every industry is change. Individuals and the companies they work for are changing the way they conduct business and communicate with fellow workers or even with their patients. At its core, compliance is about protecting and managing information, and extracting maximum value with minimal risk. On this prediction, we'll never be wrong: the only thing constant is change.

Author: Peter A. Gerr

This article was originally published on February 11, 2004