Governments may need to tighten the regulatory screws on SaaS vendors to make them more transparent and forthcoming about their security practices. Until then, it will be hard for healthcare companies in particular to fully trust cloud software vendors, according to speakers at the EU-U.S. ehealth Marketplace and Conference in Boston on Wednesday. Depending on customers to audit cloud vendors to ensure that their security and privacy measures comply with U.S. government regulations on protecting sensitive data is inadequate, one of the speakers said. “The best we can do right now is a checklist,” said Chris Davis, a Verizon senior architect whose job entails ensuring that the company’s cloud services meet the data security regulations of various national governments. Technology, however, changes rapidly and checklists soon become dated, he said. To properly gauge the effectiveness of a cloud vendor’s security policies, customers should be able to examine the company’s risk management practices. However, cloud vendors lack a reason to be this transparent. Instead, said Davis, they sign documents saying they comply with laws like the Health Insurance Portability and Accountability Act in the U.S., which governs the sharing and protecting of people’s health information.
The government could pass laws that encourage the exchange of cloud security practices by vendors, he said. Companies from various industries are already collecting reams of information for projects related to big data analysis, but aren’t sharing and studying this data for security matters. “It’s a threat to all industries, not just health care,” said Davis. “Security should be transparent and operate in the background.” Most of the cloud products are so new there aren’t government regulations for specific use cases, said Charles Beyrouthy, CEO of LabCloud, a Boston company that develops SaaS (software as service) products for small and medium-size research laboratories. The government could help by developing standards for different data uses, such as in a laboratory or for data related to ehealth. The same method of financial penalties and rewards that compelled hospitals to adopt electronic health records for meaningful use in patient care could be used to get cloud vendors onboard with sharing security data, said Davis. “The role of government is to move toward that transparency and data sharing,” he said.