In 2009 I was building an enterprise medical imaging SaaS for hospitals, and we would constantly come across hospital IT admins who were adamantly against trusting a cloud vendor with their sensitive healthcare data - even one that's audited, security-checked and whose sole responsibility is to take care of these images.
We always thought it was a joke that these guys questioned us, when we knew how bad their internal security practices were. At some point around 2011-2012 we seized on the idea that holding your images inside of the hospital's four walls was a liability for them, and not a point of pride.
So, not at all surprised about this, nor about the complete lack of security practices at many of these healthcare IT vendors.
> In 2009 I was building an enterprise medical imaging SaaS for hospitals, and we would constantly come across hospital IT admins who were adamantly against trusting a cloud vendor with their sensitive healthcare data
Lots of open S3 buckets full of critical data not helping the counter argument. Security is hard, proving you’re secure to others more so. How do I know you’re not just storing my data in S3, abstracting away the mechanism, but your bucket policy or acls are garbage? I don’t. Cloud does not immediately mean more secure.
The point I was making isn't that the cloud is naturally more secure, it's that the company was 100% focused on medical imaging, not the 1000 projects a typical network/system admin at a hospital has to juggle.
We always thought it was a joke that these guys questioned us, when we knew how bad their internal security practices were. At some point around 2011-2012 we seized on the idea that holding your images inside of the hospital's four walls was a liability for them, and not a point of pride.
So, not at all surprised about this, nor about the complete lack of security practices at many of these healthcare IT vendors.