So your hospital is thinking of taking the plunge into cloud-based computing? Yes, it'll allow doctors to access patient information quickly and save money on IT infrastructure. But there are inherent risks in handing precious patient data over to a third party.

"This is very different from, 'I bought an app from the app store, downloaded it and just started running it,'" says Jeff Townsend, executive vice president and chief of staff for Cerner, a tech company that provides electronic health records systems to hospitals. "I wouldn't encourage people to do that with health care data. It should be a little bit more of a conversation or a little stronger relationship than a $1.99 download."

Health care providers can use clouds for everything from accessing a software program to storing patient data somewhere off-site. The latter use is what could trigger scrutiny under HIPAA and the HITECH act. All cloud providers must adhere to the privacy policies and security steps spelled out in those acts, but most do not, according to Coalfire, a firm that conducts IT audits for hospitals and other cloud users.

"Can they meet those specific security requirements that your organization needs to meet and is there any kind of validation of that you can put in place and rely upon?" asks Kerry Shackelford, Coalfire's managing director and health care practice leader. "These cloud vendors, they don't want every health care provider's auditors coming in."

Health care entities should find out up front whether their cloud provider will offer indemnification from legal fees if the data are somehow breached, says John Halamka, M.D., CIO at Beth Israel Deaconess Medical Center in Boston. Will they help investigate what went wrong? And how quickly can they get things up and running again after an interruption?

Hospitals should be aware of the country in which the data will be stored and the specific regulatory requirements that come with the territory. Physical redundancies need to be built into the system, so if a building burns down and the servers with it, for instance, another one somewhere else keeps humming, Halamka says.

There's also the question of whether a health care provider wants to store its data in-house or on the site of a third-party provider. And health systems need to determine if it's best to adopt a cloud for each hospital or one across the organization.

Whatever the preferred choice, Halamka thinks cloud-based computing is the unavoidable future for the health care industry.

"Doctors are wonderful diagnosticians but they are not good server administrators," he says. "The cost of maintaining local hardware in a secure and reliable fashion far exceeds the cloud-hosting option. So, keep your office simple, run Web-based clients, run as simple an internal infrastructure as you can, and push the complexity to private or public cloud providers. The security will be good enough, and the cost will be less."