Healthcare News & Insights

Questions you need to ask vendors about cloud technology

172588046More hospitals are using cloud technology to improve their operations. But before you have your facility start uploading data to the cloud, make sure you ask these questions first. 

A growing number of hospital leaders are recognizing the benefits of using the “cloud” to improve their day-to-day tasks. And for good reason: Cloud technology has helped many facilities reduce operations, staffing and maintenance costs while improving efficiency.

HIMSS Analytics conducted a survey about cloud use, and found that out of 150 respondents, 83% were using the cloud for various functions. Most of the facilities used the cloud to store and access clinical applications, or as part of  their health information exchange. Many hospitals also use cloud technology to store data from their electronic health records (EHRs) as back-ups in case of emergencies.

As the survey shows, even more providers are preparing to adopt cloud technology. And those facilities that have cloud technology already, are planning on expanding their use in the coming years.

Unfortunately, there are two issues that have providers concerned about using the cloud in the future: privacy and security of protected health information (PHI).

Not as secure as vendors think

Hospital leaders should take some time to look into the privacy and security measures their health IT vendors are taking, especially before adopting cloud technology to store PHI.

As Dan Schroeder, an attorney who works with  health IT and HIPAA compliance cases, notes in an article for the American Bar Association, many vendors don’t properly secure software and devices to HIPAA standards.

For example: Rather than conduct a full-risk analysis, they may obtain a Service Organization Control (SOC) 1 report (also known as a “SSAE 16”) to show HIPAA compliance. But these reports weren’t designed with HIPAA compliance in mind. That means there could still be security weaknesses that haven’t been spotted or addressed by the vendor.

Some vendors may also take a “one-size- fits-all” approach to security by applying the ISO 27002 information security standard, without actually considering how the technology will fit into the consumer’s operations. And, as Schroeder puts it, “no pre-defined set of controls can fulfill HIPAA requirements, because controls are only effective if they are relevant and pragmatic in the organization’s unique environment.”

This is concerning since facilities can also be held liable when business associates have data breaches because they didn’t fully assess data threats and vulnerabilities. And when the Office for Civil Rights (OCR) revives HIPAA audits this coming fall, the agency will be scrutinizing healthcare providers and their business associates to make sure they’ve conducted thorough risk analyses.

Asking ahead of time

That’s why it’s crucial that your Chief Information Officers keep tabs on your vendors’ preventive measures. Marla Hirsch, a writer for Fierce EMR, reports that hospitals can better protect their healthcare data in the cloud by asking vendors what security steps they’ve taken.

Make sure you ask:

  • What safeguards (physical, technical and administrative) are being used to secure PHI?
  • When was the last time the vendor conducted a full-risk analysis to comply with HIPAA, and what measures were taken to fix vulnerabilities?
  • When was the last time a provider included an assessment of its cloud provider in its own risk analysis?
  • What happens if the cloud vendor suffers a breach — who cleans up the problem, notifies patients, offers free credit monitoring?

You’ll also want to perform a risk analysis for your own facility, to make sure there aren’t any vulnerable areas on your end that could expose PHI to breaches.

You should also keep records of the weak areas you find and what steps you’ll take to prevent breaches. That way, even if there is a breach, you can still show you took preventive measures, which can sometime help reduce penalties.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.


  1. […] addition to this, asking potential (and current) vendors about their cloud technology is also key. This is a nice article written by Julie Lopez that focuses on the right questions businesses should … Her article mainly focuses on health care, but makes a lot of great points that everyone should […]