Nuesoft Website  |  Blog Home  |  Contact Information

I’ve been following with interest the blog dialogue about data backups. Having spent more than a quarter century in the information technology industry and the health care technology business, I’d like to offer our perspective on this very critical issue.

John, you’re right.  A very large number of doctors in the market for EMRs today are still considering client server systems, and they should be very concerned about finding a viable backup method. However, the data backups that you’re talking about —  which may be nice for some files such as Excel files or family photos — do not come close to offering the level of protection necessary for mission critical health care applications like electronic health records.

Backing up a live database containing patients and clinical information in a secure (consider HIPAA) manner and with a high degree of confidence on a regular basis is considerably more complex. We’re talking about a complete paradigm shift in the way that doctors think about data backups, which, if not yet recognized, will soon envelop the health care industry as more and more doctors begin to use EMRs. Do you seriously think banks use some of the services you mentioned to back up financial data?

Software as a Service (SaaS) vendors, like Nuesoft, are not just in the business of providing process automation to the healthcare industry in the form of Electronic Medical Records. HIPAA compliant redundancy in the form of live a backup is at the core of this technology offering. We provide central delivery of fault tolerance, load balancing, and other critical aspects of managing a network. It’s much more than trivial passive backups. We guarantee up-time and continuous secure access to clients’ data in real time.

You alluded to the trust factor. If trust is at the core of this discussion, it’s hard to imagine that most doctors would trust a staff member, let alone themselves, to sufficiently manage their backup processes (not to mention provide for the security and on demand access of their data). You can look to numerous recent examples in the news media of security breaches or other unfortunate and unnecessary mishaps that occurred when well-intentioned medical practices took on the back up responsibility. If an annoying little article in the local paper is not enough to deter doctors from handling their own IT tasks, perhaps the HITECH amendments to HIPAA will. The steep new civil and criminal penalties – including fines of up to $1.5 million, and public reporting requirements would be enough to put a practice out of business. That’s why we definitely advise you or anyone else against backing up this sensitive data on a USB stick.

Thank you for engaging us in this discussion. We’ve enjoyed it so much that you got us thinking more about the need to extend the conversation to health care professionals, and so we are planning to write an article about the many complexities of IT management for small medical practices in the modern era. Of course, you can bet that we’ll let you know when it is available!

–Massoud Alibakhsh, President and CEO

The announcement earlier this month by the Office of the National Coordinator for Healthcare IT (ONC) about its notice of proposed rulemaking for EHR certification may have overshadowed some other significant news recently coming from the U.S. Department of Health and Human Services (HHS). With the anticipated increase of electronic health record adoption over the next few years, it appears that in addition to rolling out a new voluntary EHR certification program, HHS – via its daughter agency FDA – is considering regulation of health information technology systems.

Dr. Jeffery Shuren, director of FDA’s Center for Devices and Radiological Health (CDRH), gave testimony for a hearing late last month of the Health Information Technology (HIT) Policy Committee, Adoption/Certification Workgroup. The purpose of the hearing was to discuss potential HIT safety concerns and how to address them.

According to Shuren: “The FDA recognizes the tremendous importance of HIT and its potential to improve patient care. However, in light of the safety issues that have been reported to us, we believe that a framework of federal oversight of HIT needs to assure patient safety.”

Shuren and the FDA are considering regulation under the premise that EHRs are medical device data systems (MDDS), and thus fall under the FDA’s regulatory jurisdiction. He presented a continuum of regulatory options – ranging from pre-market review to post-market surveillance.

Some in the HIT blogging community have written about the public health and safety benefits of increased oversight. But the challenge at hand for the government is to find a way to foster the development of safer systems, while not hampering innovation at a time when government, patients and industry are all finally recognizing HIT’s tremendous potential to control costs and improve patient care.

What are your thoughts? Is a voluntary, structured certification program like the one that will be rolled out this year under the Health Information Technology for Economic and Clinical Health (HITECH) Act enough to ensure that EHR systems will be safe? Or, do we need to take things a step further through a mandatory regulatory program?

In a recent post by John Lynn on the EMR and HIPAA blog, he broached the subject of off-site backup services, and suggested some solutions for medical practices that need a way to back up their patient data.

Nuesoft has nothing but respect for Lynn and the EMR and HIPAA blog, but we can’t help but feel that this post missed the mark a bit. Rather than encouraging medical practices to look for quick and easy fixes to the pesky backup problem, why not remove backups from the health information technology dialogue? Data backups are a by-product of client server technologies of the 1990s. To truly reach the level of widespread health information technology adoption that the government is envisioning, then we need to look toward more modern and viable HIT solutions.

Most EMR solutions installed in medical practices are client server models. While users of some of these client server systems may opt for a backup solution like those described in Lynn’s blog, the vast majority will handle backups themselves. Let’s be realistic – how many doctors have the time or the expertise to adequately replicate data and ensure that it is completely secure (and HIPAA compliant) and fault tolerant? To do so requires a practice’s main server and its database to be replicated via a back up server within the same network, or connected via a wide area network, and then monitored constantly. The answer is, most doctors aren’t equipped or staffed to handle back ups, and the result is that the back ups just won’t get done – or at least not to a level that is adequate or truly secure.

Nuesoft wonders, in this push for broad EHR adoption, why aren’t more people concerned about the fault tolerance issue and discussing it openly? EHRs are truly mission critical applications. Timely access to information by a provider can have life or death consequences. Consider this: there are 161,200 medical practices in the United States. If we assume that a conservative 45 percent of these practices adopt a client server EMR under HITECH, and that a mere 1 percent of those EHR systems go down and leave users without access to patient data, think of the number of practices – and patients — that would be impacted! Providers would be without access to patient charts, and would lack the ability to review drug allergy or interaction information, medical history, or other critical components of the patient record.

This is a frightening – albeit realistic picture of the potential risk that client server models, with their many shortcomings, pose to the health care system. It’s time to stop talking about ways to help physicians compensate for client server technologies, and embrace emerging technology models such as Software as a Service (SaaS), or cloud computing, which are better suited to a mission critical environment. Even in the event that a SaaS program is temporarily unavailable, the data is safe, whereas with a client server scenario the loss is more often than not a permanent loss and the downtimes are much lengthier. The HITECH Act gives us the perfect opportunity to usher in new technologies like SaaS that will expand interoperability and relegate legacy technologies to a thing of the past.