For most healthcare organizations (96 percent), traditional policies and controls are slowing cloud adoption, often because they refer to specific technologies or products rather than focus on the desired security outcome. Policies often contain vendor names or capabilities that limit the application to public cloud or lack the flexibility to accommodate newer capabilities born in the cloud. Customer-specific and regulatory requirements that have been translated into on-premise security practices over the years compound the problem (see Figure 2).
Yet Accenture experience suggests that few existing security policies are in direct conflict with public cloud-based platforms as the primary landing zone for healthcare applications and data. The real challenge is to understand the new shared responsibility models of large platform providers and vendors and to develop a new set of security controls that application teams building capabilities in the cloud can easily handle.