Government regulation on cloud security may spur SaaS use in health care

Governments may need to tighten the regulatory screws on SaaS vendors to make them be more transparent and forthcoming about their security practices.

Until then, it will be hard for health care companies in particular to fully trust cloud software vendors, according to speakers at the EU-U.S. ehealth Marketplace and Conference in Boston on Wednesday.

Depending on customers to audit cloud vendors to ensure that their security and privacy measures comply with U.S. government regulations on protecting sensitive data is inadequate, one of the speakers said.

"The best we can do right now is a checklist," said Chris Davis, a Verizon senior architect whose job entails ensuring that the company's cloud services meet the data security regulations of various national governments. Technology, however, changes rapidly and checklists soon become dated, he said.

To properly gauge the effectiveness of a cloud vendor's security policies, customers should be able to examine the company's risk management practices. However, cloud vendors lack a reason to be this transparent. Instead, said Davis, they sign documents saying they comply with laws like the Health Insurance Portability and Accountability Act in the U.S., which governs the sharing and protecting of people's health information. The government could pass laws that encourage the exchange of cloud security practices by vendors, he said.

Companies from various industries are already collecting reams of information for projects related to big data analysis, but aren't sharing and studying this data for security matters.

"It's a threat to all industries, not just health care," said Davis. "Security should be transparent and operate in the background."

Most of the cloud products are so new there aren't government regulations for specific use cases, said Charles Beyrouthy, CEO of LabCloud, a Boston company that develops SaaS (software as service) products for small and medium-size research laboratories. The government could help by developing standards for different data uses, such as in a laboratory or for data related to ehealth.

The same method of financial penalties and rewards that compelled hospitals to adopt electronic health records for meaningful use in patient care could be used to get cloud vendors onboard with sharing security data, said Davis.

"The role of government is to move toward that transparency and data sharing," he said.

Governments could also pass legislation that gives people more access to the data companies have collected on them and the ability to control it, such as correcting wrong information, said Ralph Zottola, CTO of the research computing division at the University of Massachusetts.

"People are smart and are willing to participate but they need to feel they're not being abused," he said. This applies to all industries, not just health care, he said.

But government laws alone won't increase cloud computing use in the health-care space. The SaaS industry could do more to make its services intuitive to use and better suited to the needs of specific health researchers, like those who work in labs.

Giving people the ability to control their data in the cloud is a design issue, not a security problem, said Davis, who added that some user interface designs are clunky.

"There's still a significant percent of the population that aren't technologically literate and can't use these services," he said.

Cloud software developers may not realize that health researchers need applications that have audit functions to ensure that workers are complying with regulations, said Beyrouthy.

"The software has been designed by software professionals" and that can prove problematic in the highly regulated health-care industry, he said.

Instead of using industry-specific services consolidated onto one platform, scientists use Microsoft Word and Excel for document management and multiple platforms for storing data.

"Fifty to 70 percent of the time scientists are managing stats instead of doing actual work," said Beyrouthy.

As for how much of the health-care industry has taken to using cloud services, the answer varies depending on the definition of cloud computing. Hospitals haven't been eager to roll out SaaS services, said Davis. Among individual care providers, however, adoption rates are higher, especially with consumer-focused services like Dropbox.

"I talk to a number of doctors who unknowingly use iCloud," he said, referring to Apple's storage and backup cloud service.

Fred O'Connor writes about IT careers and health IT for The IDG News Service. Follow Fred on Twitter at @fredjoconnor. Fred's e-mail address is fred_o'connor@idg.com