Government regulation on cloud security may spur SaaS use in health care

The SaaS industry can also help increase adoption by designing products with better user interfaces

Governments may need to tighten the regulatory screws on SaaS vendors to make them be more transparent and forthcoming about their security practices.

Until then, it will be hard for health care companies in particular to fully trust cloud software vendors, according to speakers at the EU-U.S. ehealth Marketplace and Conference in Boston on Wednesday.

Depending on customers to audit cloud vendors to ensure that their security and privacy measures comply with U.S. government regulations on protecting sensitive data is inadequate, one of the speakers said.

"The best we can do right now is a checklist," said Chris Davis, a Verizon senior architect whose job entails ensuring that the company's cloud services meet the data security regulations of various national governments. Technology, however, changes rapidly and checklists soon become dated, he said.

To properly gauge the effectiveness of a cloud vendor's security policies, customers should be able to examine the company's risk management practices. However, cloud vendors lack a reason to be this transparent. Instead, said Davis, they sign documents saying they comply with laws like the Health Insurance Portability and Accountability Act in the U.S., which governs the sharing and protecting of people's health information. The government could pass laws that encourage the exchange of cloud security practices by vendors, he said.

Companies from various industries are already collecting reams of information for projects related to big data analysis, but aren't sharing and studying this data for security matters.

"It's a threat to all industries, not just health care," said Davis. "Security should be transparent and operate in the background."

Most of the cloud products are so new there aren't government regulations for specific use cases, said Charles Beyrouthy, CEO of LabCloud, a Boston company that develops SaaS (software as service) products for small and medium-size research laboratories. The government could help by developing standards for different data uses, such as in a laboratory or for data related to ehealth.

The same method of financial penalties and rewards that compelled hospitals to adopt electronic health records for meaningful use in patient care could be used to get cloud vendors onboard with sharing security data, said Davis.

"The role of government is to move toward that transparency and data sharing," he said.

Governments could also pass legislation that gives people more access to the data companies have collected on them and the ability to control it, such as correcting wrong information, said Ralph Zottola, CTO of the research computing division at the University of Massachusetts.

"People are smart and are willing to participate but they need to feel they're not being abused," he said. This applies to all industries, not just health care, he said.

But government laws alone won't increase cloud computing use in the health-care space. The SaaS industry could do more to make its services intuitive to use and better suited to the needs of specific health researchers, like those who work in labs.

Giving people the ability to control their data in the cloud is a design issue, not a security problem, said Davis, who added that some user interface designs are clunky.

"There's still a significant percent of the population that aren't technologically literate and can't use these services," he said.

Cloud software developers may not realize that health researchers need applications that have audit functions to ensure that workers are complying with regulations, said Beyrouthy.

"The software has been designed by software professionals" and that can prove problematic in the highly regulated health-care industry, he said.

Instead of using industry-specific services consolidated onto one platform, scientists use Microsoft Word and Excel for document management and multiple platforms for storing data.

"Fifty to 70 percent of the time scientists are managing stats instead of doing actual work," said Beyrouthy.

As for how much of the health-care industry has taken to using cloud services, the answer varies depending on the definition of cloud computing. Hospitals haven't been eager to roll out SaaS services, said Davis. Among individual care providers, however, adoption rates are higher, especially with consumer-focused services like Dropbox.

"I talk to a number of doctors who unknowingly use iCloud," he said, referring to Apple's storage and backup cloud service.

Fred O'Connor writes about IT careers and health IT for The IDG News Service. Follow Fred on Twitter at @fredjoconnor. Fred's e-mail address is fred_o'

Join the CSO newsletter!

Error: Please check your email address.

Tags securityhealth carecloud computingindustry verticalsinternetVerizon Communications

More about AppleDropboxEUExcelFredFred'sIDGMicrosoftNewsTechnologyVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fred O'Connor

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts