Healthcare Cloud Adoption: A Breakdown of the Risk and Reward

 

Updated April 12, 2025

Every industry has embraced the trend of moving to the cloud. Doing so helps companies be more operationally efficient, reduce costs, and improve cyber defenses. However, healthcare has been a bit slower to migrate, with all the complexities of regulations around the collection, storage, and usage of ePHI (electronic protected health information). Healthcare cloud adoption is accelerating as organizations realize it’s the future.

While many rewards come from moving to the cloud, risks remain. In reviewing the data on adopting the cloud by healthcare, some insights are worth discussing. Below, we’ll look at the data, its meaning, and how to be smart about cloud usage.

The Majority of Healthcare Organizations Are Using the Cloud

A recent survey of healthcare IT professionals revealed that 70% have moved to cloud computing solutions. Another 20% expressed a desire to migrate. Other findings included:

• 94% of those who completed a cloud migration said they would recommend it to their peers.
• 84% said it was easier to maintain compliance in the cloud.
• 60% of those who haven’t migrated listed that maintaining compliance was the most challenging part of transitioning.
• Physician offices and dental practices were the least likely areas of healthcare to use the cloud.

This data illustrates the dichotomy of cloud computing. IT folks rated their migration as positive and a compliance support. Yet, they also note it as the barrier to adopting the cloud. The acceleration of adopters needs some context.

Healthcare has had the opportunity to move to the cloud just like any other sector. There was general encouragement to do so. It has become untenable to maintain on-premises servers due to costs, absence of expertise, and a lack of cybersecurity employees. The final push for many was the pandemic, which required a more flexible and agile network.

Other trends have driven the need for the cloud, including hybrid work models, adding medical IoT (Internet of Things) devices to the network, expanding telehealth services, decommissioning legacy systems, and data interoperability.

Yet, with all its benefits, using the cloud has risks. Healthcare continues to be the most attacked industry, with regular breaches and incidents of ransomware increasing. There is no way to eliminate all the risks, but the cloud has strong pillars of resiliency and security.

Let’s look further at the risk landscape.

Risk and Opportunities in Healthcare Cloud Adoption

A cloud adoption and risk report provides more insights for this discussion. Any healthcare organization has had and continues to have conversations about the cloud. You have unique needs and challenges centered around protecting data used across many cloud applications and services. Data visibility is murky, and implementations are slow.

Key findings from this report include the following:

Worries About Shadow IT

Healthcare IT professionals have big concerns about shadow IT, especially in large enterprises or systems. Many users could be accessing applications without IT’s knowledge. Nearly three-quarters (74%) of survey respondents said it was something they worry about.

Cloud Adoption Is Growing with Caution

The risk report had lower adoption rates than the previous survey, but the data needs context again. Most healthcare entities have applications in the cloud, but they may not be using it for the bulk of operations. There was only slight growth in the number of public cloud services used, which was 24 in 2023.

The cautionary approach to adoption involves concerns about controlling data and integrating legacy systems. There are signs that healthcare wants to use more public cloud services and applications. Compared to other industries, the sector actually uses more Google, AWS (Amazon Web Services), and Microsoft SharePoint.

This would indicate a lot of data sharing, which is essential in the delivery of care, likely between SaaS (software-as-a-service) applications. Of course, more sharing leads to greater risks. 98% of healthcare IT professionals said they have issues with SaaS.

The Problems with SaaS

The SaaS issues they face include shadow IT, lack of visibility into what data is in which cloud application, inability to assess the security of the cloud application provider’s operations, and not having staff with the right skills to manage it.

There is a SaaS application for any tools needed in healthcare, from claims management to remote patient monitoring software to EHRs (electronic health records). Healthcare IT has good reason to recognize the threats of adding these to the network. Unfortunately, they aren’t always included in the conversation about deploying new SaaS platforms.

Legacy System Complications

Legacy systems are a thorn in the side of healthcare IT. Replacing them requires substantial work and further complicates infrastructure complexity. Much of the challenge lies in insufficient funding. Yet, they are keenly aware of the need to migrate, as legacy systems pose bigger security risks, especially if the provider no longer updates them.

Cyber and IT Staff Labor Shortages Hurting Healthcare

It’s no secret that there is a cyber workforce shortage. Across all industries, millions of jobs remain unfilled. This serious situation increases risk, and survey respondents relayed that it has impacted the adoption of the cloud.

Hesitancies Over Storing Data in the Cloud

Another problem keeping healthcare from adopting the cloud is the concern over data. Sensitive data is currently in the cloud, and it’s not just ePHI. Competitive information, internal documentation, proprietary and intellectual property, and more also have a home in the cloud.

Additionally, data sharing between internal applications and external ones happens regularly. Ensuring secure interoperability is challenging due to the absence of standardization and many applications built on old architecture.

All these risks are present with on-premises systems, too. In the case of most clouds, layered security is stronger, and data backup and redundancy are in place. In securing the cloud, healthcare applies many strategies.

How Healthcare Is Securing the Cloud

The survey asked respondents what they were doing to secure cloud services. The top answers were:

• Data loss prevention (DLP) and encryption
• Migrating shadow IT to an approved service
• Controlling the functionality of certain applications
• Fixing identified security deficiencies

However, very few regularly audit applications. Organizations face the challenge of simplifying cloud computing while also improving security. Those that have had a cybersecurity breach, threat, or theft of data have responded by:

• Increasing investments in cybersecurity
• Refining or creating disaster recovery
• Moving toward zero trust

Making these changes and constant monitoring and retooling of cybersecurity policies and protocols is an enormous burden. Most organizations cannot manage this on their own. Achieving clarity around applications, data storage and usage, and access is critical yet hard to do. Healthcare IT has more on its plate than just cybersecurity. It’s why so many find partners to support their efforts on their journey to cyber resilience and reduction of risk.

Getting to a Place of Confidence About Cloud Adoption

The risk of the cloud is a reality, but not adopting it doesn’t eliminate threats. Cyberattacks happen to on-premises systems. Those often cripple operations and could lead to adverse outcomes for patients. Additionally, the cost to keep things in-house will only increase, impacting your organization’s ability to pivot and adapt.

To get to a place where you feel confident about fully embracing the cloud, you can do several things to strengthen your healthcare cybersecurity ecosystem.

Initiate Regular Pen Tests

Pen tests simulate a cyberattack within your network carried out by ethical hackers. You can work with a firm to perform these tests across several areas. Pen tests can cover the following:

• SaaS and web applications
• Cloud Security
• HIPAA compliance measures
• Network security
• IoMT

They’ll provide clear results on what vulnerabilities are present and exploitable by hackers.

Make Vulnerability Assessments Part of Your Cyber Framework

Along with pen tests, vulnerability assessments offer insight into the gaps in your security protocols. They also help satisfy the requirements of the HIPAA Security Rule. With these evaluations, experts provide reports to improve your risk posture and management. The findings from vulnerability assessments help you:

• Prioritize fixes with classifications of vulnerabilities found as critical, high, medium, or low.
• Create an inventory of all devices on your network and system information.
• Establish a risk profile.
• Plan upgrades.
• Manage resources more effectively.
• Improve the overall security of your organization.

Pen tests and vulnerability assessments are critical in monitoring cloud security and being able to thwart attacks. Working with a team that specializes in performing these for healthcare gives you an advantage. They complement each other and should both be part of your cybersecurity strategy.

When considering a partner, focus on:

• How they carry out assessments, which should involve manual and automation scanning
• What credentials they have that demonstrate their expertise, such as CISSP, CSSLP, OSCP, ECSA, LPT (Master), and CEH
• What methodology they use, and if it’s proven
• How they support you after fixes, such as with a remediation validation test (RVT)
• What their reporting looks like, and if it’s generally practical and useful

At Blue Goat Cyber, we are healthcare cybersecurity experts. If you want to adopt the cloud completely or partially, we can help you plan for a migration with a security and compliance approach.

Get started by requesting a consultation.