Nuesoft Website  |  Blog Home  |  Contact Information

Privacy and security concerns are one of the many hurdles that the health care industry needs to overcome before EHR adoption catches on properly. Unfortunately, the sensible goal of making electronic health record systems interoperable (itself a complex task due to the huge variety of software solutions currently on the market) adds to these security headaches, because systems have differing levels and types of security, and security breaches in one system could, in an interoperable world, be even more serious and potentially compromise the whole nation’s records.

HIPAA (The Health Insurance Portability and Accountability Act) goes a long way to address many privacy and security concerns, but it leaves some important holes, which the Health IT Standards committee is currently seeking to address. Today, it endorsed a set of standards covering a range of security and privacy factors from access control and authentication to data integrity and document exchange. The full list of recommendations can be found here.

The idea is that these regulations are setting baselines that can be improved upon over the next few years, thus walking the fine line between being so stringent that they prevent development of compliant EHRs and hamper adoption, and yet still preventing widespread security breaches. For example, Kerberos/EUA authentication will not be allowed after 2011. This type of authentication is flawed because all users’ secret keys are stored on a central server, meaning a compromise of that one server will compromise all users. The reason it is allowed until 2011 is because some systems don’t even have enterprise-user authentication set up at the moment.

This prompts the obvious concern that hackers won’t do the sporting thing and wait till security is ramped up several years from now before trying to hack into systems. There are systems out there right now that contain patient data that are simply not secure, even by basic standards.

All of this rather worrying information provides a compelling argument that the industry should move away from the client-server model where physician practices are keeping patient information and charts on a server in the back room, to one in which technology professionals whose very job is to keep massive amounts of data safe are managing it all “in the cloud”.

Such technology companies – including Nuesoft – are likely to have security and privacy guidelines far in excess of what is mandated, because they have far more at stake in the event of a security breach. For a more technical discussion of what the HITSP standards mean and whether they are sufficient, you can read this balanced post written by a member of the HIT Standards Privacy and Security Committee.

Privacy and security concerns are one of the many hurdles that the health care industry needs to overcome before EHR adoption catches on properly. Unfortunately, the sensible goal of making electronic health record systems interoperable (itself a complex task due to the huge variety of software solutions currently on the market) adds to these security headaches, because systems have differing levels and types of security, and security breaches in one system could, in an interoperable world, be even more serious and potentially compromise the whole nation’s records.

HIPAA (The Health Insurance Portability and Accountability Act) goes a long way to address many privacy and security concerns, but it leaves some important holes, which the Health IT Standards committee is currently seeking to address. Today, it endorsed a set of standards covering a range of security and privacy factors from access control and authentication to data integrity and document exchange. The full recommendations can be found here.

The idea is that these regulations are setting baselines that can be improved upon over the next few years, thus walking the fine line between being so stringent that they prevent development of compliant EHRs and hamper adoption, and yet still preventing widespread security breaches. For example, Kerberos/EUA authentication will not be allowed after 2011.

This type of authentication is flawed because all users’ secret keys are stored on a central server, meaning a compromise of that one server will compromise all users. The reason it is allowed until 2011 is because some systems don’t even have enterprise-user authentication set up at the moment.

This prompts the obvious concern that hackers won’t do the sporting thing and wait till security is ramped up several years from now before trying to hack into systems. There are systems out there right now that contain patient data that are simply not secure, even by basic standards.

All of this rather worrying information provides a compelling argument that the industry should move away from the client-server model where physician practices are keeping patient information and charts on a server in the back room, to one in which technology professionals whose very job is to keep massive amounts of data safe are managing it all “in the cloud”.

Such technology companies – including Nuesoft – are likely to have security and privacy guidelines far in excess of what is mandated, because they have far more at stake in the event of a security breach. For a more technical discussion of what the HITSP standards mean and whether they are sufficient, you can read this balanced post written by a member of the HIT Standards Privacy and Security Committee.