Risks of Hosting Practice Data in the Cloud Vs. Locally

Software involving the “cloud” is becoming ever more popular amongst health professions due to the myriad of benefits it delivers. This concept is not new, twenty years ago the internet was represented on flowcharts as a cloud, primarily be­cause its took information in and routed it somewhat invisibly to another destination. More recently this concept has become very specialized and now consumers can take advantage of cloud computing through hosted systems that store photo­graphs, files (e.g. Google Docs), and even information via the web.  Today, the 14th largest software company by market capitalization (Salesforce.com) operates almost entirely in the cloud and this sector is predicted to grow to over $200B (US) worldwide by the end of 2013 (Source: Merrill Lynch).

Despite the growth and technical advancement in cloud computing, many companies resist the temptation to join the cloud due to the perceived risks, instead of maintaining control locally. As we know, cloud-based practice management providers offer many benefits, most notably the scalable and flexible access to computing resources anywhere at any time (i.e. mobile). So with this increased amount of business data and computing power come increased security risks, requiring special considerations and attention. This article will outline some of the risks involved in hosting your data locally versus in the cloud, along with some helpful questions to consider prior to subscribing to a cloud-based software provider.

Risks and Responsibilities of Hosting Data Locally

Commonly clinics in the past have installed a Windows or Microsoft software application locally on their computers/servers to retain client information. This could also refer to paper files in a filing cabinet (your server/database).

So have you ever considered by doing this there are a number of responsibilities involved here if you continue to resist cloud software/practice management systems? Consider that your responsibilities when storing the information locally are –

1. Anti-virus software

  1. Do you maintain the security of your servers/computer anti-virus system?
  2. Do you undertake virus scans on a regular basis?
  3. Is the virus software up to date?
  4. Is every computer in the network covered?
  5. Does it protect your email system?

2. Operating system

  1. Is the operating system you are currently using stable (e.g. windows, Lion/Mac osx etc)? Are your aware of its weaknesses?

3. Firewalls

  1. Is there a firewall for your server?

4. Back-up’s

  1. Do you back-up the data on a regular basis?
  2. Are they stored off-site? Is that site secure?
  3. Do you test the back-up – is the information on them recoverable?

5. Remote access – Do you access your clinic database remotely?

  1. Is the connection secure?
  2. Is it over a Virtual Private Network (VPN)?

6. Is your clinic secure?

  1. Do you have an alarm system?
  2. What steps have you put in place to prevent your computers from being stolen? If they are stolen would you be able to practice the next day? (With a cloud system you could purchase a new computer and plug into the internet and be up and running within minutes).

7. Is your Practice management software up to date?

  1. Have you installed the latest version of your practice management software with security features?
  2. Do you have to do this manually every time?
  3. Do you have to pay for this upgrade?
  4. Is it a hassle to undertake – does an IT expert have to log in remotely and do this for you?

So there are probably a few things going through your mind right now that you might not have considered? As we know a completely cloud-based system takes care of many of the hassles for you to allow you to focus on managing your clients care. However, by passing over this responsibility to a cloud-based provider there are a number of risks to consider.

The Risk of hosting your practice data on the cloud

So the question is: If I change to a cloud-based system what are the possible risks and responsibilities of the cloud providers? These risks include –

1. Security, Privacy and Confidentiality

While cloud technically offers a higher level of security than local servers (due to IT experts managing these environments), as they become more popular they also become a more attractive target for hackers. The probability of an attack is relatively low, but even if only one is successful, the impact could be significant.

2. Loss of Data

By transferring your sensitive practice data over to a third party provider you risk the possibility of them going out of business, mismanaging your data or even their cloud environment crashing all resulting in loss of your practice data.

3. Compliance Issues

A host of IT compliance issues arises when a company decides to migrate to the cloud. These are often industry-specific regulatory issues, such as Medicare Integration, Health Funds Compliance or even Government regulations (e.g. DVA online claiming).

4. Hidden Costs

Ensure that you have all costs quoted up front to avoid potential financial damage to your company resulting from a reduction in productivity. Despite these risks, there can be significant cost savings that can be realized via the cloud.

Questions to ask your potential provider

In order to mitigate the risk, it’s important to ask your potential vendor the following questions –

1. Demand transparency

Avoid vendors that refuse to provide detailed information on security programs. Ask questions related to the staff, risk-control processes and technical mechanisms that identify unanticipated problems.

2. Ensure that there is privileged user access.

Ask providers who have access and control over the data. Who in the organization can access it?

3. Regulatory compliance.

Customers are ultimately responsible for the security and integrity of their own data, even when a cloud service provider holds it, however, ensure that your provider complies with security certifications and audits as required.

4. Data location.

When you use the cloud, you probably won’t know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions.

5. Data segregation and encryption.

Ensure your data is encrypted and separated from the rest of files in the data centre.

6. Recovery.

Even if you don’t know where your data is, a cloud provider should tell you what would happen to your data and service in case of a disaster. Ask if the provider has the ability to do a complete restoration, and how long it will take?

7. Long-term viability.

Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. “Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application.”


In conclusion, ask yourself are you doing everything possible to secure your data (either locally or via the cloud) containing sensitive client information. As outlined above your cloud provider has a lot of responsibility and if they are doing their job well then a secure cloud-based practice management system is, in many facets, more secure and offers more flexibility to manage your business than a locally based system. Ensure that you do your due diligence and ask the appropriate questions of your software provider before taking the plunge into the cloud.


By Darren Rieck

Darren Rieck is a physiotherapist and founder of Nookal. Nookal is a provider of practice management software for the allied health industry. They offer practice management solutions to help health clinics streamline their administration systems, effectively manage their business and improve efficiency and productivity. To learn more, visit www.nookal.com or call 1300 NOOKAL.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *