Skip to main content
. 2013 Aug 21;15(8):e186. doi: 10.2196/jmir.2494

Table 2.

Suggestions before moving electronic health records to the Cloud.

Security issues Description
Data security Because a Cloud provider will have access to all the information concerning the patients, project plans, etc, it is essential to check the provider’s reputation in the market. The provider must guarantee that its clients’ information would not be misused by any unauthorized personnel. The health care provider should check for the data protection and operational integrity services offered by the provider. Moreover, it is valuable to know the geographic location of the servers where the client data would be hosted. In brief, clients should demand total transparency.
Regulatory compliance It is important to choose providers with security certifications and are ready for external audits. It is crucial that the provider guarantee the continuity of the service in case the provider has some kind of problem. The client must ensure that the provider operates in the country where the service will be offered. Data logging and data monitoring are important tools that Cloud providers should offer in order to improve the security of the service.
User authentication Because the data are processed externally by a third party, there is always some inherent risk. The client must know about the personnel who will manage the medical information and what standards for access will be followed by the provider. The client must be informed about the role-based access systems as well as the password handling system configured by the provider.
Data separation The provider not only handles the data stored in the Cloud but manages the data of other companies who have hired its services. So it is important to know the mechanisms the Cloud provider implements to separate the data of all the companies that are sharing the same servers. The clients must be informed about the availability of the data that the provider guarantees.
Legal issues A legal framework must guide the policies of the Cloud provider. Intellectual property rights agreements between the two parties should be of prime importance. While the provider owns the right to its infrastructure and applications, the client owns the right to his/her data and computational results.