The benefits of the Affordable Care Act (ACA) are still being debated. The roll-out of the ACA website, Healthcare.gov, and its subsequent problems provide sufficient evidence for enterprises to consider moving to the cloud in order to ensure data security.

However, the Healthcare.gov debacle proves that enterprises cannot move their sensitive data to the cloud with blind faith in cloud service provider security, and with the assumption that the data will be safe. Since enterprises have multiple options, they need to evaluate service provider security commitments and understand the risks before moving data to the cloud.

Let’s discuss some major cloud data governance and ownership concerns.

Ask for high security levels

Cloud service providers can provide and maintain higher levels of security than many individual enterprises. But as more data moves to cloud, it becomes that much more vulnerable to potential attackers. Data breaches could result in compliance penalties, so enterprises need to make sure they have Business Associate Agreements in place as well. However, the latest HIPAA Omnibus Rule aims to change that, by imposing equal responsibility on health IT vendors and providers.

Demand secure coding

The Healthcare.gov website reportedly had a complex set of 500 million lines of code that was not properly checked before the portal was rolled out. This also compromised the security of the website. Cloud service providers rigorously test their services before rolling them out to their customers, and display a commitment to secure coding practices.

Demand visibility

More and more end users are shifting to cloud services and must look to demand visibility from their vendors as part of their contractual agreements. Lack of transparency can be a big problem where users are unaware as to how their information is being used and shared by the health information technology providers.

Don’t just rely on provider assurances

In November 2013, when experts identified numerous security risks with Healthcare.gov, they were of the opinion that personal information of millions of Americans was at risk. These experts suggested the site to be taken down, but it hasn’t been done so far. The developers are fixing it while it is running, which can further intensify problems.

Any system, which gathers and stores such a huge amount of personal data, requires assurances from the top management that the data is secure and fool-proof security measures are in place. In the case of Healthcare.gov, no such assurance has been provided by the White House.

“Unfortunately, the personal information that has already been entered into Healthcare.gov is vulnerable to online criminals and identity thieves,” said Rep. Lamar Smith (R-Tex.) Chairman of the Science, Space, and Technology Committee. “President Obama has a responsibility to ensure that the personal and financial data collected as part of Obamacare is secure. It is clear this is not the case.”

Enterprises that use sensitive data – especially data covered by HIPAA – can no longer rely on service provider assurances. If they are taking a risk-based approach, they must independently secure their cloud data through encryption, and practice sound key management processes.

The cloud concept may be relatively new for the healthcare industry, but it is certainly the one which is going to help it move forward in the years ahead.