Healthcare Information Security

Cloud News

Regulations Drive Healthcare Cloud Security, Risk Standards

Healthcare cloud security concerns are still a key barrier in organizations utilizing cloud, but it is becoming less of a factor, a recent report finds.

By Elizabeth Snell

The intense healthcare regulatory requirements are one of the key drivers of cloud service providers (CSPs) looking toward healthcare cloud security and risk standardization, according to a recent Gartner report.

Healthcare regulatory requirements help drive cloud security priority

Gartner’s Market Guide for Cloud Service Providers to Healthcare Delivery Organizations also found that cloud security concerns are becoming less of an issue in terms of healthcare cloud adoption.

Furthermore, as healthcare providers’ infrastructure, system and support requirements continue to grow, they will be further pushed toward a hybrid IT environment.

This will allow the cloud to play an increasing role, according to Gartner researchers.

However, this expected growth will also be compounded by tight budgets and IT staffing issues.

“The days of the cloud or remotely hosted systems being seen as a threat to enterprise IT are over,” the researchers wrote.

“Today, the cloud is being seen as an extension to enterprise IT, but with some barriers still in place like the aforementioned security and compliance concerns.”

As healthcare CIOs gain a better understanding of the cloud, its benefits and limitations, and how to make the switch, there has been an increase in cloud adoption.

Gartner also highlighted key benefits for healthcare organizations that decide to implement cloud options:

  • Changing how IT resources are paid for (from capital to expense)
  • Decreasing the time it takes to deploy and to realize value from these assets
  • Creating more rapid, scalable responses to new business challenges
  • Freeing up IT staff and resources to pursue opportunity and innovation
  • Improving service levels and the disaster recovery capability of the enterprise
  • Offering higher levels of security capability than available within the HDO IT environment

HIPAA compliance cannot be overlooked when it comes to cloud computing, Gartner noted. It is no longer enough for a vendor to simply claim “HIPAA readiness.” Instead, Gartner insisted that healthcare providers find vendors willing to sign a business associate agreement (BAA), and also adhere to both the HIPAA Security Rule and the OCR HIPAA Audit Protocol.

A service provider should also be willing to adhere to standards such as SSAE 16 Type II, as well as a third-party compliance assessment or healthcare-specific security framework results, such as HITRUST.

“There is no such thing as ‘HIPAA compliance’ per se,” the report’s authors explained. “There is only the exercise of a standard of due care against the rule. The lack of a BAA does not release a cloud service provider from its responsibilities under the law.”

If a vendor is outside of the US, Gartner recommended that providers ensure that the vendor adheres to its regulatory counterpart, such as the European data protection Directive 95/46/EC.

CIOs looking to develop an IT strategy for a real-time health system should also contract for services that do not involve PHI storage, including secure messaging, clinical communications, and mobile device management. This approach can help gather more experience in selecting and managing CSPs.

“Healthcare provider CIOs are moving from skepticism to acceptance through a considered, sometimes reluctant, embrace of the cloud,” the report stated. “Gartner observes that healthcare provider CIOs are now taking advantage of SaaS offerings for their own purposes — subscribing to cloud-hosted service such as email, hosted virtual desktops, identity and access management, mobile device management, office productivity tools, and application support and service desk services.”

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...