But are cloud-based security providers moving fast enough?
Southwest Washington's Paidhrin knows that outsourced security services are the future, yet he must keep his hospital safe today. Southwest Washington provides remote access to a network of partner clinics, which include some 2,000 medical workers. Those workers need to tap into the hospital's network via the Internet to download patient files and access more than 200 applications. Southwest Washington also has its own laptop-toting mobile staff.
For hospitals under the HIPAA hammer, Paidhrin says, the stakes are high. "We will not be on the front page here at Southwest like our good partners across the Columbia River at Providence" Health Care, whose laptop containing 365,000 patient records was stolen a couple of years ago.
Paidhrin's plan: For Southwest Washington staffers, policies keep data stored on mobile devices at a need-to-know-right-now minimum, laptops have full-disk encryption, and so on. Anyone accessing the network remotely must come through a single gateway. "We have Active Directory, LDAP, RADIUS -- all coordinated through single sign-on and all through an SSL portal," Paidhrin says. "We log and track ... with a rule-based access control matrix."
Meanwhile, most small and mid-sized businesses are taking a wait-and-see approach, says Dan Nickason, IT supervisor at Genesis Physicians Group of Texas. Simply put, they have too much to lose -- "they can easily crumble from one mishap," he says. "Although cloud computing is pushing network access to edge devices, the fact is many small and medium-sized businesses are not entrusting their IT infrastructure and computing needs to the cloud yet."
Chad Swartz is senior manager of computer operations at such a company, Preferred Hotel Group. He is implementing a new CRM system, demanded by the business, that lets people access customer data over BlackBerrys and laptops. That means he must contend with the potential of a lost phone or an employee who leaves the company and takes his BlackBerry with him.
So Swartz is using what exists today, including a secure tunnel, Citrix servers that highly limit the amount of files on end-point devices, and an audit module from Sonoma Partners. "We have not incorporated full-disk encryption yet, but that's definitely the next evolution," he says.
Of course, Swartz knows securing data in today's mobile, work-anywhere world isn't perfect. "Internet security is very immature," he says, echoing Paidhrin's words. "Big picture," Swartz adds, "if someone really, really, really wants to get in, they can still get in."