Cloud

Cloud-Based EHR Systems: Achieving Security and Migration Success

When migrating their electronic health records to the cloud, healthcare organizations must make security a core requirement from the start — and be clear with partners about security responsibilities.

Novid Parsi

Novid Parsi is a freelance writer based in St. Louis who covers a wide range of fields, including healthcare and technology.

Think of electronic health records in terms of the evolution of electricity providers, says Luis Ahumada, executive director of advanced technologies and data science at Johns Hopkins Medicine.

Before electricity became a centralized utility, various companies built and maintained their own power plants. Similarly, prior to cloud-based EHRs, organizations had to make large capital investments to own and maintain on-premises EHRs.

Just as centralized electricity resulted in less costly and more dependable power for users, cloud-based EHRs reduce capital expenses while improving reliability and consistency. “That’s why migrating to the cloud makes total sense,” Ahumada says.

DISCOVER: These are the three key trends for hybrid infrastructure in 2026.

Rather than overbuying hardware to try to future proof data centers, cloud-based EHRs “allow us to pay only for what we need. We rightsized the environment and continue to do that all the time,” says Charles Christian, vice president of technology and CTO at Franciscan Health.

Plus, cloud-based EHR vendors handle software updates that healthcare organizations with on-premises EHR must develop and release on their own. “It took a huge amount of time, knowledge and training” to release updates prior to cloud-based EHRs, Ahumada says.

The benefits of EHRs in the cloud also extend to security.

EHR Security in the Cloud: Best Practices

Migrating EHRs to the cloud enabled Franciscan Health to rebuild its security from the ground up, ensuring all of the security tools were in place from the start and not bolted on later, says Jay Bhat, CISO at Franciscan Health.

For example, when it migrated its EHR to the cloud in 2024, Franciscan Health was able to vault the backup data so that it’s safe, secure and accessible if the data needs to be restored.

“With backup and recovery, we feel a lot more secure having moved to the cloud,” Bhat says.

Click the banner below to read the latest CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_01

x_security_q325_animated_click_mobile_01

The redundancy and resiliency that the cloud provides are critical for business continuity and disaster recovery, according to Christian.

“We’re really resilient in terms of minimizing the downtime and impact on our end users,” Bhat says, noting that the cloud EHR also provides him access to dashboards and reports indicating compliance with HIPAA and security frameworks such as those from the National Institute of Standards and Technology and International Organization for Standardization.

Bhat advises healthcare organizations considering EHR migrations to “make security a core requirement.”

“If you make security part of the initial build and have the appropriate segmentation and controls, you’re in a much more secure environment after your migration is complete,” he says.

Christian compares designing security in the cloud to building a house: “You don’t wait until the house is up to put in the wiring — you do both together.”

EHR Security Measures: Defining Responsibilities

“Protecting private patient data is the most important responsibility for a healthcare institution,” Ahumada says.

Cloud-based EHRs help healthcare organizations fulfill that responsibility.

Just one employee clicking on an attachment in a phishing email can create a cascade of problems for the entire organization. Each employee interaction with each system represents a potential vulnerability. With cloud-based EHRs, however, security is managed at a central point, Ahumada says.

But that advantage also comes with a risk. “That central point becomes a single point of failure,” he says. If that point is breached, bad actors can gain broad access to sensitive patient and organizational data.

To gain the benefits of a cloud-based EHR while mitigating the risks, healthcare organizations must carefully consider the security measures of both their EHR software vendors and their cloud platforms — and carefully specify each party’s security responsibilities in their business agreements.

“We expect the highest standards from our vendors, and that involves a lot of planning, testing and piloting before moving to the cloud,” Ahumada says of Johns Hopkins’ Epic migration, which began its planning stage about two years ago and will be completed in about one year. “Security is a shared responsibility between the vendors and the healthcare organization.”

If you make security part of the initial build and have the appropriate segmentation and controls, you’re in a much more secure environment after your migration is complete.”

Jay Bhat CISO, Franciscan Health

For Christian, the responsibility of maintaining secure data ultimately rests with the healthcare organization. “I don’t think it’s up to the EHR vendors to provide security. It’s up to us to secure the data,” he says, noting that the onus of HIPAA compliance rests with healthcare organizations, not their software vendors.

Franciscan Health relies on a managed services partner that maintains Epic on Azure, but the healthcare organization doesn’t outsource its monitoring. The old maxim of “trust but verify” applies to the relationship between healthcare organizations and their managed services providers, Christian says.

“Healthcare organizations need to be diligent to make sure our security standards continue to be implemented with any new upgrades, features or integrations,” he says. “We’re the ones that have to be accountable.”

The cloud enables healthcare organizations to monitor more effectively, Bhat adds: “We have complete visibility into the security around our EHR system.”

gorodenkoff/Getty Images