Compliance and the Cloud: What Small Businesses Need to Know

Add Your Comments

There are a lot of reasons why businesses migrate to the cloud – to cut data storage costs, to mobilize their workforce and thus make their employees more productive, and to protect their data from onsite disasters such as fires and floods.

As attractive as those benefits are, most small businesses have a few questions and concerns that must be addressed before they’re willing to start using the cloud for their data storage needs.

Perhaps the biggest concern for small businesses is how migrating to the cloud affects compliance. Healthcare organizations have HIPAA, anyone who accepts credit cards needs to comply with the regulations established in PCI DSS, and so on.

Sixty-one percent of SMBs said that compliance is an important factor when they consider cloud storage. The following guide will introduce you to a few things you should know about the cloud and HIPAA, PCI, and ISO standards.


Hospitals and other healthcare organizations have to keep their patients’ protected health information (PHI) private, or else they face some devastating financial consequences.

“Devastating” may be seem like an overly dramatic word choice, but trust us, this is not sloppy writing at play. The maximum penalty of violating a single provision of HIPAA is $1.5 million, and it’s possible for multiple provisions to be violated in the same incident.

For example, look at what happened to New York-Presbyterian Hospital and Columbia University back in May 2014. A server was deactivated, which led to over 6,000 patients having their personal info exposed online, and as a result the hospital was hit with $4.8 million in HIPAA fines.

Let’s clear up some common misconceptions – first of all, while many cloud service providers (CSPs) claim to be “HIPAA-certified”, you should know that that’s not really a thing. The Department of Health and Human Services (the organization that oversees HIPAA) does not certify CSPs.

Since the Department isn’t going to help you out here, you’re going to have to do some legwork yourself to keep your coffers safe from seven-digit HIPAA fines.

Do your research – when you’re looking into a particular CSPs, find out if they put themselves through regular independent audits to prove to their clients that their services are safe.

If so, which organization do they use for auditing? Check out that organization, and find out what it is they look for compared to the official Office of Civil Rights (OCR) HIPAA Audit Control guidelines (the OCR is the office within the Department of Health and Human Services that manages HIPAA enforcement). Any HIPAA auditing firm worth their salt should confirm that any CSP they’re auditing meets all the 169 requirements established by HIPAA.

Once you’re working up a final contract, make sure to include a business associate agreement (BAA) about HIPAA. Such an agreement ensures, in writing, that the CSP you’re working with will comply with HIPAA. It’s just a little extra incentive for that CSP to do what you need them to do.

Another common misconception is that, since you’re using a third-party CSP, you’re off the hook if something happens to your data. Even with a BAA, that’s simply not true.

“We still receive the occasional call from a C-level executive that thinks that engaging a HIPAA service provider to manage their PHI (Protected Health Information) workloads will essentially offload their liabilities,” said David Pollard, Regional Director of Connectria Hosting. “There are still people out there that believe that a HIPAA cloud provider somehow mitigates their own needs for compliance. Understanding your own risks in your own data center is key to understanding your risks in the cloud.”


PCI DSS is a mouthful of an acronym – it stands for Payment Card Industry Data Security Standard. Try saying that five times fast.

PCI controls are what protect credit cards from being hacked. Credit card information is taken at the register then transferred over the network and finally stored on a server – protecting information through that entire process can be difficult. That’s why a CSP that wants to truthfully say they’re PCI DSS compliant is going to have to make sure they meet the 250+ PCI DSS controls first.

Small retail businesses have a lot of competition. Not only are there the local businesses in town that do just about the same thing at roughly the same price, there’s also the major online retailers like Amazon and eBay that siphon off a good number of potential customers as well.

Finding success in this difficult environment is going to be all but impossible if someone’s credit card is compromised because of a security breach at your store. If that happens, you’ll forever be known as “that place where that guy got hacked” and people will prefer to shop a store that isn’t known for poor security (no one likes having to cancel a credit card and/or deal with fraudulent charges). A CSP that complies with PCI DSS helps you keep your reputation intact.


In February 2015, Microsoft made news by becoming the first major cloud provider to adopt ISO 27018 security standards to protect personally identifiable information (PII).

So what does that actually mean?

Following the regulations established in ISO 27018 ensures that a CSP does the following for your organization:

  • Provides Strong Security – ISO 27018 contains strict rules on how PII is transferred over networks, stored on servers, and restored for data recovery purposes.
  • Keeps You in the Know – You will know where your data is and if any third parties are also handling your data.
  • Prevents CSPs from Using Your Business as a Marketing Tool – Some CSPs use the customer data of their clients for their own marketing purposes. If they’re complying with ISO 27018, they can’t do that.

There are currently no certifications specifically for ISO 27081, but any CSP that has earned an across-the-board ISO 27001 certification complies with ISO 27081 by definition.

Any small business that places security and privacy as high priorities (for example, all those healthcare organizations and credit card-handlers we mentioned earlier) should see ISO 27081 compliance and ISO 27001 certification as a huge plus.

Alex_Headshot2 (2)About the Author

Alex Miller is an Analyst at Clutch, a Washington, DC based B2B ratings and reviews website that highlights leading software and professional services firms. Clutch’s research helps start-ups, mid-market and large enterprises find partners that meet their needs, whether for a one-off project or a long term relationship. Alex heads the cloud research segment at Clutch.

Add Your Comments

  • (will not be published)