This content is part of the Essential Guide: Guide to examples of cloud computing in healthcare

CIOs becoming more comfortable with healthcare cloud security

Healthcare cloud security has long been mistrusted by health IT professionals who had concerns about HIPAA compliance and more. This sentiment is beginning to change.

Healthcare CIOs are beginning to shed one of the common excuses for not moving over to the cloud: The cloud is not secure.

CIOs have been wary of healthcare cloud security because the cloud is often hosted and managed by companies like Amazon and Google that either do not have expertise in the healthcare industry or are only just beginning to gain experience in healthcare.

But that sentiment about healthcare cloud security is beginning to change. Three CIOs share their thoughts on healthcare cloud security:

Ed McCallister, CIO at UPMCEd McCallister

Ed McCallister, CIO at the University of Pittsburgh Medical Center, Pittsburgh: I'm very comfortable with security in the cloud, as comfortable as I would be with an on-premises model. Again, a lot has been invested with [the] cloud. The cloud-enabled players such as Microsoft and … Dell, all the usual large players, Google, Amazon. So, from a security standpoint, I'm very comfortable with the cloud. I think that [cloud vendors] follow the same security standards that we would follow in our own data center.

Indranil Ganguly, CIO at JFK Health SystemIndranil Ganguly

Indranil Ganguly, CIO at JFK Health System, Edison, N.J.: [Cloud vendors are in responsible for] … keeping the infrastructure solid and performance levels where [they] need to be and security where it needs to be. We have a contract that says 'Hey, you've got to maintain stuff to this level.' So it takes the headache of that off of the shoulders of our staff. I don't have to have people now focused on that and it allows our team to focus more on the application itself and making sure the application is set up well for our users, not worrying so much about 'Hey, we're running out of storage' or 'There's issues with connectivity' somebody else has to go take over a lot of that responsibility.

Karen Clark, CIO at OrthoTenneseeKaren Clark

Karen Clark, CIO at OrthoTennessee, Knoxville, Tenn.: If you'd asked this question four or five years ago, CIOs would have said, 'Absolutely not in the cloud. I don't trust it. Forget it. I want everything on the premises,' but clearly that's not the way that the world is going … the cloud makes our network more secure because all those public connections are being made to [the cloud provider's] system, not to ours.
There are some applications that really lend themselves [to being hosted in the cloud]. Email is a perfect cloud application. I think there are some areas where cloud applications are clearly where everything's going. And it makes really good sense. And I think people are thinking, 'Where does it make sense strategically from a cost perspective, from a security perspective?'

If you'd asked this question four or five years ago, CIOs would have said, 'Absolutely not in the cloud. I don't trust it. Forget it. I want everything on the premises,' but clearly that's not the way that the world is going.
Karen ClarkCIO at OrthoTennessee

Security, depends on how you implement it … I think it's entirely on how you configure [your cloud platform]  and set [it] up and manage [it] For example, I use two-factor authentication on my personal Gmail account. I feel it's relatively secure. Now, if you're using a public email service like Gmail, you have to understand the limitations that that has. I think it's a complicated topic. And I don't think you can just peanut butter over the cloud saying, 'It's safe or it's not safe.' I think it's all over the map, but that's where providers like us … are aggregating our responsibility if we just say, 'Well, we're hosting it in the cloud, so now it's safe.' I mean, that's abandoning our responsibility. It's up to us to work with vendors that have appropriate security protocols and validate and verify them, especially when we're dealing with the EHR because it matters.

Next Steps

What healthcare organizations must know about the cloud

Cloud backup services can't sacrifice healthcare data security

The common cloud myths preventing deployment in healthcare

Dig Deeper on Health care cloud applications and services