In the eternal discussion of what’s more secure: cloud or in house, it was recently pointed out to me why many people now believe that a cloud company is more secure than anything you would implement in house. Here’s the reason: If a cloud company gets breached, they’re dead.
I think this is true. At least it’s true in healthcare. I don’t know many healthcare organizations that would select a cloud healthcare IT company that had just been breached. Not many. If you’re a healthcare cloud company and you get breached, your future is basically over as a company. There might be a few that could survive if they have enough money, if there are mitigating circumstances, etc, but that’s going to be pretty rare.
With this in mind, it’s easy to understand why a cloud based healthcare company is going to invest to ensure they don’t get breached. No startup founder or health IT company CEO wants to put their blood, sweat, and tears into a company that gets blown up because they didn’t address proper security and get breached.
What happens if a healthcare organization gets breached? If you’ve ever been there, it’s not a fun experience. It’s embarrassing. This is particularly true if your breach is large enough (500 or more individuals) to end up on the HHS Wall of Shame. I mean the HHS Breach Portal. Yes, there are often even fines associated with a breach as well. It’s not pretty and it’s not fun. However, most healthcare organizations that get breached continue practicing like usual. Sure, they likely make an investment in some more security, a proper risk assessment, etc, but the company still continues providing healthcare services like usual.
Fear isn’t always the best driver in life, but it can be a good one. Cloud healthcare companies have a healthy fear of being breached because their company’s future depends on it. That’s a powerful motivator to make sure you avoid breaches. I’m sorry to say that most healthcare organizations don’t have this same fear and motivation. Most of them still employ what I call the “Just Enough” approach to security and privacy. Note that it’s “Just Enough” to sleep at night as opposed to “Just Enough” to be secure. There’s a difference.
No doubt there are exceptions to the above on both sides of the aisle. Some cloud healthcare companies don’t do a good job securing their technology. Some healthcare organizations do a really excellent job securing their organizations. However, as a rule, I think it’s fair to say that most cloud healthcare companies are more secure than hosting something in house.