Until then, it will be hard for health care companies in particular to fully trust cloud software vendors, according to speakers at the EU-U.S. ehealth Marketplace and Conference in Boston on Wednesday.
Depending on customers to audit cloud vendors to ensure that their security and privacy measures comply with U.S. government regulations on protecting sensitive data is inadequate, one of the speakers said.
"The best we can do right now is a checklist," said Chris Davis, a Verizon senior architect whose job entails ensuring that the company's cloud services meet the data security regulations of various national governments. Technology, however, changes rapidly and checklists soon become dated, he said.
To properly gauge the effectiveness of a cloud vendor's security policies, customers should be able to examine the company's risk management practices. However, cloud vendors lack a reason to be this transparent. Instead, said Davis, they sign documents saying they comply with laws like the Health Insurance Portability and Accountability Act in the U.S., which governs the sharing and protecting of people's health information. The government could pass laws that encourage the exchange of cloud security practices by vendors, he said.
Companies from various industries are already collecting reams of information for projects related to big data analysis, but aren't sharing and studying this data for security matters.