Following a two-year deceleration of cloud growth, the technology again gathered steam in 2015. With the vast majority of healthcare providers now adopting cloud, it’s become critical to consider risk management for this transition. Here is a five-stage plan to see your organization through.

  • Slow-Down & Speed-Up of Cloud in Business
  • Hybrid Cloud and Risk Management in Healthcare
  • Five-Stage Cloud Risk Management for HIT
  • Managing HIT risk with Your cChoice of Cloud Vendor

Slow-Down & Speed-Up of Cloud in Business

In 2013 and 2014, there was a slow-down in the previously breathtaking ascent of cloud hosting. However, last year, the industry accelerated again, with 5.4% more organizations adopting the IT method.

Business generally has been moving to cloud, but healthcare companies have been somewhat more hesitant to implement these systems because of concerns with compliance and security. Nonetheless, 5 of 6 healthcare providers (83%) had cloud in place even back in 2014, according to the Health Information and Management Systems Society (HIMSS). Furthermore, Becker’s Healthcare notes in 2016 that “[c]ompared to previous years, providers are more likely to use cloud implementations and leverage mobile and analytics capabilities in the cloud than before.”

Cloud is an increasingly attractive way to do business, allowing companies to get ahead of their rivals by speeding up innovations. Consider this: IDC notes that more than 9 out of every 10 new software was cloud-hosted in 2015. While traditional computing keeps all information on-site, cloud liberates companies from the expenses and hassles of having to internally handle the servers themselves. Other reasons that cloud is adopted include:

  • Immediate scaling and meeting of greater resource needs;
  • Sharing of app and infrastructure costs, allowed by multi-tenancy;
  • Delivery of new techniques such as integration services and virtual machines; and
  • Conversion to utility approach for more streamlined and efficient consuming and allocating of resources.

Hybrid Cloud and Risk Management in Healthcare

How is healthcare implementing the cloud? Often they aren’t opting specifically for a private or public setup but instead are choosing a blend, notes Brian Evans of Health Data Management – a strategy that combines both models of HIPAA compliant hosting. Hybrid cloud allows businesses “to connect and integrate any new cloud applications with the investments they already have in IT,” he says. “A hybrid cloud solution eliminates the need for a business to choose between moving everything to the public cloud and keeping everything in the private cloud.” That’s basically why IDC FutureScape predicts that, somewhat incredibly, 4 out of every 5 enterprises will have a hybrid system deployed by 2017.

The transition of healthcare providers to cloud will mean their architecture is built differently; however, their security needs will be unchanged. For this reason, it’s critical to have a solid risk management program to guide the way so that all decisions are consistent.

Cloud vendor risk management means that you are placing all cloud systems within a customized set of security controls through a lifecycle method consisting of various stages.

A simple way to design such a program is to divide it into five stages, explains Evans. Each one “deals with different issues and challenges and includes a minimum set of actions and considerations needed to effectively verify, validate or incorporate information security into cloud computing operations,” he says. “They provide an end-to-end lifecycle approach to effectively manage cloud vendor information risks based on industry-recognized security principles and practices while aligning with methodologies from sources such as ITIL, ISACA and NIST.”

Five-Stage Cloud Risk Management for HIT

Here are the five stages:


Healthcare companies assess how cloud could be useful and create documentation on how it will serve them. Leaders throughout the firm should be involved. Security issues are outlined.

Cloud vendor risk management is centrally concerned with determining the sensitive data that will be involved. Look at compliance concerns and likely threats. Cloud vendors should be reviewed and listed in this report.

Solution development

The tool is selected and programmed as needed. Risk is assessed systematically. The results will guide the business toward appropriate controls.

“This includes requesting from the cloud vendor such items as their security policy, infrastructure geographic locations, technical security measures, and other control documentation,” says Evans. “It is critical that the cloud vendor meets or exceeds organizationally defined information security requirements.”


The services of the firm are loaded into the cloud system. Security mechanisms are put into place that meet the needs of the company and the guidelines of the vendor.

Encryption should be conducted before integration, and disaster recovery should be considered and documented – especially back-out steps at this point.

Operations & maintenance

Make sure that controls remain sufficient via monitoring, testing, and review as the cloud system is adjusted over time. It’s especially critical that cloud systems don’t just claim security but are reviewed externally to meet the parameters of hosting standard assessments such as AICPA SOC audits (see “Managing IT Risk” section below).

Termination & disposal

Finally, determine that all data, programs, and equipment that make up the cloud are transferred, sanitized, or destroyed as dictated by your policies. Your business associate agreement (BAA) with the vendor should state how this process should be conducted.

Regulations and policies should also be met whenever data is archived or transferred to other assets.

Managing HIT Risk with Your Choice of Cloud Vendor

Are you looking at healthcare hosting partnerships for a managed hybrid cloud? At Atlantic.Net, our Managed Cloud Hosting adds a layer of business-essential Managed Services to our award-winning, on-demand public VPS hosting service, within SOC-2-certified data centers.