The Double Standard for Web-Based EMRs

Why are some physicians still fearful of web-based electronic medical records (EMRs) when most of them are comfortable using web banking and e-commerce sites?

Many physicians allow all of their personal financial information to be transmitted over the Internet – including actionable credit card data – but fear using the same methods for managing their patient records.

It’s not irrational to be worried about security breaches on the web. But what is the likelihood of compromising patient data through a web-based EMR? Is it a higher or lower risk than web banking or e-commerce? And who would try to hack that information anyways?

Putting risk in perspective
Perhaps the best way to put the risk of a web-based EMR in perspective is to compare it to other online activities, such as on-line banking and e-commerce. Of the 200,000 claims to the FBI’s Internet Crime Complaint Center, 60% fall under the category of auction fraud (think disputes between eBay buyers and sellers), 6.3% are from credit card fraud and 2.7% are from financial institution fraud (online banks). Comparatively, web-based software or SaaS fraud is not even on the map.

According to this report, criminals are more inclined to operate fraudulent auctions or steal credit card information before prying into an individual’s health history.

Who is trying to access patient data illegally?
In the last few years, some reports of health record theft have made it into national headlines. Among the well known cases is the incident of nurses peeking at George Clooney’s health records and a patient accidentally discovering their ability to “hack” the URLs in a patient portal. Less common are stories like a recent incident of an attempt to extort money through the threat of exposing millions of Express Scripts pharmacy records.

Most of these incidents involve theft from within a healthcare organization, rather than a malicious breach by an outside hacker. In an article from Healthcare IT News, one expert states 80% of all security breaches come from within an organization, not external hackers. David Williams from the Health Business Blog informed us of another story of inside theft, reported on by the New York Times.

We searched through examples of HIPPA violations and found that the most common scenarios are not even Internet-based, but instead involved traditional paper-based records:

• records that are disposed of in the trash or recycling bins;
• records that are faxed to the wrong number; and,
• accidentally handing paper records to the wrong patient.

How secure is your office?
The threat of cyber hacking is scary in large part because of the esoteric nature of information technology. We may fear what we don’t understand. But given the “traditional” nature of most HIPAA breaches, it makes sense to consider the physical security of your office. Medical offices are susceptible to crime, fires, power outages, natural disasters, rogue employees…and, of course, human error.

Few, if any, medical offices could match the levels of protection web-based EMR vendors take to protect their data storage centers. Vendors will monitor the storage facility with 24-hour human surveillance and protect servers in highly fortified rooms. Some even go to great lengths, building out armored, military-grade facilities with servers stored underground.

What secures a web-based EMR?
To protect data transmitted between a medical office and the server, vendors use HIPAA-compliant data encryption technologies, the standard being 128-bit secure socket layer (SSL) encryption. They arm servers with firewalls to block illegitimate traffic, and install intrusion detection systems to monitor when someone tries to hack the system. Vendors also safeguard the data center where the server exists, storing the server in a highly secure compartment with un-interruptible power, air filtration and advanced fire suppression systems. At the physician’s office, software will have permission settings for each user, allowing them to access the EMR only during specified hours and days of the week.

How is data backed up?
Web-based software vendors use data backup systems that track and store changes, up to the minute. They provide HIPAA compliant backup logs, and own multiple data centers with disk arrays that mirror data from the primary server. Backing up data is an automatic process that requires no manual staff support, and is done over the Internet or a private network connection. Though, vendors will dedicate teams of staff to develop and monitor the infrastructure required to make these processes possible.

Recovering data is fairly straightforward as well, as the backup system uses technology that recovers only data that has changed since the last backup. This speeds up recovery time and minimizes delays to resume office activities.

What happens if you need to switch systems?
There are scenarios in which you might need to move to a new EMR software system. Perhaps you aren’t satisfied or worst case, your vendor is defunct. In either situation, it’s critical to get a backup of the data before you switch systems. Outline the specifics in a service level agreement (SLA), and include details of how long the data will be available for upon ending the service, along with who will be responsible for transferring the data to the new vendor.

Web-based medical software uses SQL to access and store data on a database. Importing and exporting this to another web-based or on-premise vendor is not only possible, but relatively commonplace. On-premise systems that have been around for many years might rely on a proprietary database, making data transfer cumbersome and sometimes not possible. However, vendors of modern on-premise systems have adapted, and can support transfer to and from SQL databases.

Ten-Check Security and reliability checklist
When evaluating security of web-based EMRs, it’s important to review each system individually. Use a security and reliability criteria checklist to compare the security features of one system against another. Ten criteria from the CCHIT 2008 EHR Ambulatory list require the web-based system to:

1. Authenticate the user before any access to health information is allowed, including when using mobile devices.
2. Support protection of health information delivered over the Internet using encryption such as triple-DES (3DES) or the Advanced Encryption Standard (AES);
3. Provide the ability for authorized administrators to assign restrictions or privileges to users/groups;
4. Provide an administrative function that resets passwords;
5. Prevent further viewing and access upon detection of inactivity;
6. Include documentation that covers the expected physical environment necessary for proper secure and reliable operation;
7. Generate a backup copy of the application data, security credentials, and log/audit files;
8. Have the ability to run a backup concurrently with the operation of the application;
9. Restore functionality to a fully operational and secure state;
10. Detect security-relevant events and generate audit records for them.

Web-based software vendors have made great strides in protecting health records. When evaluating such systems, ask each vendor to address this ten-item security checklist.