By Jeff Erramouspe

According to a recent study by Hytrust, 55% of healthcare organizations have already moved mission-critical workloads, including sensitive patient data, to a cloud or software-defined data center. The same study also found that 77% of these organizations plan to move more workloads onto a public cloud service.

With the cloud, organizations gain increased agility, connectivity, and accessibility. Meanwhile, software as a service (SaaS) applications—such as G Suite, Office 365, Salesforce, and Veeva—are revolutionizing healthcare operations by providing on-demand information to users, helping speed tasks and improving productivity. This allows organizations to focus less on time-consuming tasks, such as IT administration, and more on providing quality patient care.

But as cloud adoption increases, so do the risks associated with keeping data in the cloud. For hospitals and healthcare organizations facing increasing security threats, including ransomware attacks, IT teams must follow data storage, compliance, and backup best practices in order to operate with confidence in the cloud.

Robust data protection plans that enable rapid recovery from data loss should be the end-goal for healthcare IT and security teams, but getting there isn’t as simple as choosing the best cloud provider. The first step toward data protection in the cloud is developing a deep understanding of how your organization will work with your selected cloud vendor.

Knowledge should extend past the internal workings of the organization to include the processes of business associates and subcontractors who create, receive, maintain, or transmit protected health information (PHI) on behalf of a business associate.

As a “covered entity,” healthcare organizations are responsible for ensuring the security of PHI in health IT systems. Business associates may include services such as cloud service providers like Google, Microsoft, or Salesforce, that furnish SaaS applications.

Steps for Success 

Best practice dictate that this and any relationship with a cloud vendor require a business associate agreement in order to manage PHI in the cloud, and this might not always be as simple as a signature–many cloud service providers (CSPs) restrict healthcare organizations to a subset of their application services in order to properly safeguard SaaS. This is an added headache for IT administrators but a necessary one.

The next step in a best-practice approach to healthcare data in the cloud is ensuring that the healthcare organization and its business associates align with HIPAA requirements and meaningful use standards, or the principles that govern electronic health record (EHR) programs. For this, multiple actions must be taken, including:

  • Encryption of data in transit and at rest
  • Ownership of data
  • Data portability, with no vendor lock-in
  • Enterprise integration, via open interfaces and application programming interfaces
  • Complete compliance by protecting unstructured data in the same manner as structured data (EHR)

The third step is understanding and identifying other areas where HIPAA compliance must be met. One such area is within the custom applications built to meet an organization’s unique operational needs. For instance, this would include internal apps built on, the Salesforce platform. These apps, the subset of an SaaS application, are often built to feed data into enterprise resource planning, human resources, and financial systems of record and likely contain PHI.

Finally, in order to ensure compliance with HIPAA and other standards surrounding data protection, retention, and accessibility, organizations need to understand and address the “gaps” where CSPs have no control of or ability to recover data. For instance, server failures caused by a natural disaster may prevent data loss that can never be recovered by SaaS providers.

Additionally, data loss due to accidental or malicious deletion or ransomware are similarly unrecoverable in many instances. This lack of protection or recovery isn’t by accident—CSPs do not offer on-demand, backup, and recovery services and, in fact, there are policies in place that restrict the data capacity of vendors to protect the best interests of the organization.

Compliance Is Key

Hospital and healthcare organizations utilizing cloud apps must therefore implement a HIPAA-compliant backup and restore solution to ensure compliance and eliminate the operational risks related to data loss—that range from inconveniences to critical data loss—and the cost associated with such loss.

On the provider side alone, recent research shows that, for an organization with 50 providers where loss of access to data is within a typical CSP service level agreement of 96% uptime, the cost-per-year to that organization can be more than $2 million. Combined with HIPAA compliance risk and related fines, a third-party backup recovery solution is essential to protecting data and remaining compliant in the cloud.

The risks that hospitals and health organizations face in the cloud are not going away, but the cloud remains the best path to speed, agility, and innovation. Ensuring data is protected, compliant, and backed up will help speed this progress and allow organizations to operate with confidence.

Jeff Erramouspe is vice president and general manager of Spanning, a Dell-EMC company specializing in cloud-to-cloud backup.


  1. 2016 state of the cloud and SDDC study. Mountain View, Calif.: HyTrust Inc., 2017. Available at: Accessed March 23, 2017.
  1. Anderson, MR. The cost and implications of EHR system downtime on physician practices [white paper]. Montgomery, Texas: AC Group Inc, 2011. Available at: