Cloud Computing: Questions to AskExperts Offer Insights on Assessing EHR Security Provisions
As a result, some are considering using remotely hosted EHRs, or specific clinical modules, that use the cloud computing model. But experts advise healthcare organizations to look before they leap because remotely hosted applications can add security risks.
Hospitals and physicians should ask detailed, probing questions about security when considering whether to work with a vendor offering a remotely hosted EHR or other clinical system, says Kelly McLendon, president of Health Information Xperts, Titusville, Fla.
Some vendors, unfortunately, are failing to offer well-versed answers on security, he argues. "The answers are a little more nebulous, almost cloud-like," he says.
When it comes to cloud computing, McLendon says, "Security risks revolve around not having primary direct control of the software and hardware platform, and relying on a third party to manage the security processes. It gets much harder to document exactly what the platforms are, and exactly what the security procedures and policies are that are associated with them. It adds an element of complexity."
As a result, hospitals and physician groups should "take extra time to understand the documentation" for security protocols, tools and audit logging, McLendon stresses. That includes determining how the data is stored, how many copies are kept, who has access to the information and how the data center is kept physically secure.
HIPAA ComplianceProposed modifications to the HIPAA privacy, security and enforcement rules make it even more clear that business associates, including vendors that remotely host applications, must comply.
"So it is important to make sure that the organization that will be offering the remotely hosted application has HIPAA compliant/HIPAA trained people who understand the importance of keeping personal health information secure," says Robert Wah, M.D. Formerly the Department of Health and Human Services' deputy national coordinator for health information technology, Wah now is vice president and chief medical officer at Computer Sciences Corp.'s North American public sector civil and health services group.
"It's important to remember that when you look at security there are really two pieces: the physical or technology security and the people and processes," Wah says. Many times breaches do not occur because there is a technology failure, but because there is a human process failure; somebody loses something or leaves something unattended."
To have their software certified as qualifying for the Medicare and Medicaid EHR incentive program, which is funded by the HITECH Act, EHR vendors must demonstrate a long list of security capabilities, including encryption and authentication. Because no EHR applications have been certified yet, shoppers should ask vendors to outline precisely how they plan to meet the certification criteria.
Dedicated SpaceTo help ensure the security of remotely hosted data, healthcare organizations should "make sure that they have dedicated space in the hosted environment," says Jack Daniel, project lead for security services at Concordant, North Chelmsford, Mass.
"A lot of times, environments are shared," Daniel laments. "And obviously, if environments are shared, that means information isn't necessarily siloed, and you're relying on lower-level access control mechanisms. You definitely want your own, dedicated space, so that the space could be controlled and secured adequately, to meet your regulatory and security needs."
Daniel also urges prospective cloud computing clients to ask for any audit or vulnerability scan reports the vendor has completed on their infrastructure and application. "And if they can't provide you any types of audit reports or past security assessments, at that point, you're going to want to have a third-party assessment done on the product, or conduct one yourself," he says.
Wah offers other tips for those considering a remotely hosted EHR system, including:
- Make sure your organization has multiple paths to the data center "so that you are not reliant on a single point of failure."
- Check on how the vendor uses encryption to protect data at rest, in transit or in use. "And make sure the encryption keys are not stored in the same place as the data."
- Specify in the contract that the vendor is responsible for security and for compliance with federal and state regulations as they're updated.
- Insist that the vendor spell out plans for backing up data.
- Make sure the contract spells out what happens to the data if the vendor goes out of business or the agreement is terminated. For example, the contract should outline how all data will be transferred back to the hospital or physician group and how data residing on the vendor's systems will be destroyed. "It is always better to deal with that at the outset of the contract as opposed to at the last minute."