Tight Budgets and Cloud Computing

At a time when the on-demand, pay-as-you-go model of cloud computing has been getting a lot of press as a way to save costs, it’s more important than ever to have a good understanding of what needs to be done to make sure that data remains secure. The urgency of the issue was reinforced, for me, by an op-ed piece in the August 30 New York Times by Vivek Kundra, who was the Obama administration’s chief information officer between 2009 and last month.

As the administration’s CIO, Kundra says he embraced the cloud as a way to save costs by providing an alternative to costly hardware and software that is purchased and maintained by the customer. During his tenure the Obama administration instituted a “Cloud First” policy, which advocates the adoption of cloud services by government agencies. He notes that some federal agencies have embraced the cloud while others (such as the State Department) have raised concerns about security risks of storing data off site by private companies.

Nonetheless, the cloud is a compelling model. Kundra estimates that in healthcare alone, even a 1-percent increase in productivity over the next 10 years would represent a $300 billion value, much of which could be achieved with cloud-based services. At a time when many hospitals are faced with tight budgetary constraints, the cloud is an attractive option.

In a recent interview for an article on cloud security that appeared in the August issue of Healthcare Informatics, Mac McMillan, chair of the Healthcare Information and Management Information Systems Society (HIMSS) Privacy and Security Policy Task Force, said that from a business perspective, the cloud “is a smart thing to do; from a security perspective it is a smart thing to do if it is done correctly.”

But he says provider organizations need to carefully evaluate cloud vendors before signing on to do business with them. He believes the issue is important enough to form a workgroup that will focus on the issue.

Fortunately there are industry organizations that provide some guidance. One resource is the Cloud Security Alliance (CSA), which offers documents to help organizations that are considering the cloud have the controls it needs are in place.

In Kundra’s view, cloud computing is often far more secure than traditional computing, and notes that companies such as Google and Amazon can attract and retain cyber-security personnel of higher quality than many government agencies. I think the same can be said of many heath providers. He sums up his piece with the prediction that budget crises will accelerate the move to cloud services, noting that government, businesses and individuals all have a lot to gain with its use.

He may or may not be right, but he should have added that any organization that is considering the cloud should do a thorough assessment of the cloud provider. As noted by McMilllan, the really critical questions revolve around who will have access to the data and how can an organization audit the security controls around its data. They are questions consistent with those any organization should ask of a third-party vendor that is going to hold its data, he says. And the job of vetting rests squarely with the provider.