A federal government agency's recent blessing for insurance issuers to use Amazon Web Services is a sign of changing attitudes toward cloud security.
The Centers for Medicare & Medicaid Services (CMS) confirmed this month that it approved the use of AWS for processing and storing healthcare data as part of new risk adjustments mandated under the Affordable Care Act of 2010.
Under the law, funds are transferred between high-risk pools of patients and low-risk pools to protect insurance issuers financially. To identify which groups are higher-risk, patient data must be analyzed and the results submitted to CMS before funds are redistributed.
This analysis can now be done using AWS' Elastic Compute Cloud. Issuers can create an Amazon account and download a particular application to do the data processing for CMS, where previously, only internally managed hardware was approved.
Tech experts say this has implications for a wider IT market that has harbored doubts about AWS cloud security.
Dave Bartolettianalyst, Forrester Research
"If AWS is good enough for the government, it's probably good enough for you," said Dave Bartoletti, analyst with Forrester Research based in Cambridge, Massachusetts. "Everyone considering AWS should take a fresh look at AWS' current certifications and security practices -- they might be better than what you've got in your own data center."
"Particularly for emerging firms that don't have the expertise or resources to build out a compliant data center, AWS-like environments become very attractive to allow firms like ours to focus on core competencies," said Brendan McKernan, president and co-founder of Courtagen Life Sciences Inc., a genetic testing company based in Boston.
However, some larger companies that are eligible to use AWS following the CMS decision are undecided.
Aetna Inc., a large insurance issuer based in Hartford, Connecticut, already has a relationship with AWS through its healthcare technology subsidiary Healthagen, but it also purchased hardware to perform the CMS data analysis under the original requirements.
"This is something that the industry has asked about since Day 1, for the past couple of years, whether or not cloud computing or virtual servers are allowed for this purpose," said John Caruso, a senior director at Aetna. "The timing of it could've been better if we'd known about it in advance."
Caruso said the company will evaluate the suitability of AWS services according to its performance and availability, rather than scrutinizing cloud security.
Meanwhile, it would also be preferable for CMS to approve the use of other cloud vendors.
"Ideally, they wouldn't lock us into one specific vendor from a cost perspective," Caruso said.