Murphy told a recent teleconference sponsored by Verizon that HIPAA compliance drives much of the healthcare IT industry’s decision making on cloud adoption. He noted that hospitals are leading the way in terms of cloud adoption, but they are primarily using cloud services for business and corporate application, not in the patient information application area.
At the same time, smaller clinics and physician practices are reluctant to move to the cloud because of HIPAA compliance concerns. “I don’t think healthcare organizations will move to the cloud until they know that security is there”, he said.
Murphy noted that HIPAA compliance is the focus of his company’s concerns about the cloud. MD-IT provides information technology to healthcare clinics and physician practices.
“We are looking at the cloud to ease our requirement for more internal data center resources. To use the cloud, we need to figure out how to integrate it with our existing systems and infrastructure”, Murphy said.
Murphy added that in order to successfully adopt cloud computing, his company needs three things: 1) to achieve availability and performance goals, 2) to provide information security, and 3) to make economic sense. He noted that cloud vendors have been able to satisfy MD-IT requirements in the first and third areas.
“We still are having trouble nailing HIPAA security requirements in the cloud. It is hard for use to understand from the conversations we’ve had with vendors where our data would be located, who would have access to it, and how audits would work”, Murphy explained.
“It is my sense that cloud vendors don’t have their offerings targeted to the smaller outfits, such as MD-IT….We can’t tell from our smaller perch exactly where things stand”, he added.
Jim Reavis, executive director of the Cloud Security Alliance, commented that cloud providers are considering community cloud offerings that are HIPAA-compliant and targeted at the smaller health care clinics and physician practices.
Security in the cloud is a “trust and confidence issue”, Reavis told the teleconference. Many companies, not just in the healthcare industry, are concerned about being able to comply with information security regulations while using cloud.
“When you peel back the layers, there are more concerns about companies being able to show that they are compliant with regulations by using cloud services rather than being able to quantifiably say they are more or less secure”, Reavis said.