Cloud Computing and Security

The idea of cloud computing has definitely taken hold in the healthcare industry. According to the Cloud Computing Tracking Poll, an assessment by CDW LLC, a technology solutions vendor, of current and future cloud use in business, government, healthcare and education, 28 percent of U.S. organizations are using the cloud today. CDW defines cloud computing as enabling on-demand access to a shared pool of configurable computing resources (networks, servers, storage, applications, services) that can be rapidly made available.

Healthcare organizations were a little above that average, with 30 percent of organizations saying they were implementing or maintaining cloud computing. According to Nathan Coutinho, enterprise server/storage/virtualization manager of CDW, says that there is a great deal of interest among potential cloud computing users, many organizations have expressed concerns over security issues. In fact, security concerns ranked as the top roadblock to implementation, with 41 percent of respondents across all segments saying it held their organization back from either adopting or further implementing the cloud.

Mac McMillan, who is chair of the HIMSS Privacy and Steering Committee, notes that cloud computing, from a business perspective, is compelling. “From a business sense, it is a smart thing to do,” he says. “From a security perspective, it is a smart thing to do if it is done correctly,” he says. That means that the provider must give a thorough vetting of any cloud provider it is considering using as a partner. For starters: what kind of a cloud model is the vendor offering? Public or private? What practices and measures does the provider have in place to make sure that the data will be managed in a secure way?

One useful source of information about securing data on the cloud is the Cloud Security Alliance, he recommends. “There is good information out there that people can use to ask the right questions of their cloud vendor, to find out if they are going to meet their needs from a compliance perspective and a data security perspective,” he says.

He notes that new requirements under the HITECH Act could be challenging, depending on what type of data gets stored on the cloud. The proposed rule of the Accounting for Disclosure rule from the Department of Health and Human Services’ Office of Civil Rights poses questions around auditing of data that is stored with a vendor’s cloud service. MacMillan says security issues surrounding cloud computing will only grow in importance. He says the committee he chairs has decided to form a cloud security work group to look at the issue.

Stay tuned for more on cloud computing security issues in the August issue of HCI.