CSP providing Data Services for the Health Sector

An SME in the Health Sector who has built its SaaS application on an IaaS/PaaS from the CSP. Anyone in the health sector has to be compliant to mandatory sectorial standards and needs to have certain certifications. Furthermore, since this SME will process sensitive personal data, it also needs to encrypt the data in light of the applicable personal protection regulations in the EU. Even though many CSPs have such specific certifications, encryption possibilities and back up possibilities, in most cases the layers in the provided IaaS/PaaS where the customer of the SaaS CSP processes its sensitive and other data do not fall under these certifications, or encryption and back-up by default. This SME made the mistake in trusting that the provided certifications were applicable for that use, where it does not.