He added that Salesforce complies with its obligations under HIPAA's "business associate" classification. In addition, it offers customers a number of security and compliance tools, including event monitoring, audit trails, and encryption.
"These features make it easier for customers to achieve HIPAA-compliant use of the Salesforce Platform and Salesforce Health Cloud," he said.
But even with the most secure cloud service, there are still potential vulnerabilities. For example, if a doctor is accessing cloud-based records on their laptop or tablet using automatic logins -- or leaves the device in a public area already logged into the system -- then the records become vulnerable.
Ebba Blitz, president of US operations at security vendor Alertsec, said that she uses Salesforce. If she ticks the box that says "remember my password," all she has to do is open her laptop and she is up and running.
"This means that if I lose my laptop, and someone gets my login, they have full access to my Salesforce cloud," she said.
She suggests that healthcare organizations also look at two-factor authentication to lock devices and restrict access to sensitive data.
Mobile devices in particular offer a number of quick authentication methods -- everything from fingerprint scans to voice activation to swipe gestures -- that easily become automatic for users and don't get in the way of using the device.
Organizations also need to watch out for local caching of patient information. This may be useful if, say, a medical professional needs to review records on a long plane trip. But it also means that the data is locally available on the device if the device is lost or stolen.
"That's why its so important to have encryption," said Blitz.
Salesforce's Newman said that there are a number of best practices that Salesforce recommends to its customers.
In addition to two-factor authentication, for example, customers are advised to limit logins to particular IP addresses and using SMS identity confirmation when users log in from unknown devices or IP addresses.
Customers should also strengthen password policies, mandate that all sessions be encrypted, and decrease session timeout thresholds.
Sign up for CIO Asia eNewsletters.