Governments may need to tighten the regulatory screws on SaaS vendors to make them be more transparent and forthcoming about their security practices.
Until then, it will be hard for health care companies in particular to fully trust cloud software vendors, according to speakers at the EU-U.S. ehealth Marketplace and Conference in Boston on Wednesday.
Depending on customers to audit cloud vendors to ensure that their security and privacy measures comply with U.S. government regulations on protecting sensitive data is inadequate, one of the speakers said.
"The best we can do right now is a checklist," said Chris Davis, a Verizon senior architect whose job entails ensuring that the company's cloud services meet the data security regulations of various national governments. Technology, however, changes rapidly and checklists soon become dated, he said.
To properly gauge the effectiveness of a cloud vendor's security policies, customers should be able to examine the company's risk management practices. However, cloud vendors lack a reason to be this transparent. Instead, said Davis, they sign documents saying they comply with laws like the Health Insurance Portability and Accountability Act in the U.S., which governs the sharing and protecting of people's health information. The government could pass laws that encourage the exchange of cloud security practices by vendors, he said.
Companies from various industries are already collecting reams of information for projects related to big data analysis, but aren't sharing and studying this data for security matters.
"It's a threat to all industries, not just health care," said Davis. "Security should be transparent and operate in the background."
Most of the cloud products are so new there aren't government regulations for specific use cases, said Charles Beyrouthy, CEO of LabCloud, a Boston company that develops SaaS (software as service) products for small and medium-size research laboratories. The government could help by developing standards for different data uses, such as in a laboratory or for data related to ehealth.
The same method of financial penalties and rewards that compelled hospitals to adopt electronic health records for meaningful use in patient care could be used to get cloud vendors onboard with sharing security data, said Davis.
"The role of government is to move toward that transparency and data sharing," he said.
Governments could also pass legislation that gives people more access to the data companies have collected on them and the ability to control it, such as correcting wrong information, said Ralph Zottola, CTO of the research computing division at the University of Massachusetts.
"People are smart and are willing to participate but they need to feel they're not being abused," he said. This applies to all industries, not just health care, he said.
Sign up for CIO Asia eNewsletters.