Scott makes a lot of great points. I just wanted to go into a little bit more detail on the network front.
Let's not forget that drive encryption is just protects physical theft. Network-based attacks are much more common and simpler to execute. You don't have to be there and you can execute them from anywhere in the world. One advantage of not running in the cloud is that network based attacks are more difficult due to decentralization of resources and lack of exposure.
Also, vulnerabilities are likely to start popping as cloud is more heavily used. One thing I found interesting is that there was absolutely no mention of the Heartbleed bug that affects OpenSSL certificates. This affects about 66% of the web. Both Amazing Charts and Updox run affected servers (Apache and nginx, respectively). This affected major providers like facebook and Yahoo. Their security budgets are quite large, but they were still affected. Lots of companies are still doing audits to find out if they were as well. The vulnerability has been around for 2 years, but only discovered recently.
And regarding what Sandeep posted above...it seems true that there are very few options to protect "data in motion" on your network. So, as long as the server is up and running, in theory someone who can attach to the network can grab your SQL database (or your ImportedItems folder). You do the best you can there to prevent unauthorized access.
There's some very simple and affordable solutions such as using Active Directory to secure your network. Essentials streamlines the process for users. There is a common misconception that servers need to be expensive hardware. You can install a server OS on any hardware. If you previously deemed a desktop/off-the-shelf computer sufficient to run your practice, that same logic should apply to the server. AD authenticates on multiple levels. Even the machines themselves are authenticated against the domain. If the machine isn't part of it, it won't be allowed to authenticate. Protecting your network from a wide variety of threats.
HOWEVER, under the current climate, I would say that you'd be crazy to keep any PHI...patient lists/data, documents/spreadsheets, your AC SQL database, your imported items, your incoming Fax documents folder, your BACKUPS, etc...on a drive that doesn't have encryption.
For me the idea of having Everyone on the permissions list allowing unchecked network access to crucial patient data is crazier. I could get on your network and walk out with your entire practice no matter how much drive encryption or whatever physical safeguards you have. The scarier part is that you would never know I did.
.png "ACUF Donor I")
