Since HealthExpense is now expanding its platform to allow users to log in directly, more authentication will be needed soon, so the company plans to add two-factor some time this year.
But there's another risk that the company is worried about, which will be a bit harder to address.
"That is the elephant in the room these days," said Lee. "More and more companies are starting to move their services to the cloud providers. I see attackers trying to compromise the cloud provider to get to the information."
If attackers can get into the cloud systems, that's a lot of data they could have access to. But attackers can also go after availability.
"The DDoS attacks are getting larger in scale, and with more IoT systems coming online and being very hackable, a lot of attackers can utilize that as a way to do additional attacks," he said.
And, of course, there's always the possibility of a cloud service outage for other reasons.
The 11-hour outage that Amazon suffered in late February was due to a typo, and affected Netflix, Reddit, Adobe and Imgur, among other sites.
"From a sustainability and availability standpoint, we definitely need to look at our strategy to not be vendor specific, including with Amazon," said Lee. "That's something that we're aware of and are working towards."
The problem is that Amazon offers some very appealing features.
"Amazon has been very good at providing a lot of services that reduce the investment that needs to be made to build the infrastructure," he said. "Elastic load balances and other services make it easy to set up. However, it's a double-edged sword, because these types of services will also make it harder to be vendor-agnostic. When other cloud platform don't offer the same services, how do you wean yourself off of them?"
Take, for example, Amazon's Relation Database Service.
"Normally, it would take a lot of resources to design and map out the reliability and availability that is already one of the features of RDS," he said. "If you have to migrate off of that, you have to architect something. They are very good at making sure that companies continue using their product."
That is the big question the company is facing now, he said. "Do we invest heavily in some Amazon-native feature? And which services do we not invest in, so that we can migrate, or run in a hybrid mode?"
That requires some serious thinking about architecture design, he said.
"We're trying very strategically to use Amazon services so we're not overly ingrained," he said.
An ounce of prevention
When it comes to avoiding cloud platform lock-in, the earlier a company starts thinking about it, the better, experts say.
Sign up for CIO Asia eNewsletters.