Nuesoft Website  |  Blog Home  |  Contact Information

Hospitals and practices are concerned about the security of their patients’ information, and rightfully so. The fear of data pirates and hackers prevents many health providers from making the switch from paper records to electronic ones. However, as this Colorado hospital discovered, sticking to paper records won’t prevent the possibility of confidential patient information being compromised or stolen.

In fact, providers wanting to maximize the security of their patient information might consider that it is much easier to keep patient information secure if it is housed in digital format with proper access and audit controls. Client-server-based systems that still rely on staff backing up information on tapes are simply relocating the problem, as a rash of news stories recently has proven, but remotely hosted Internet-based systems can exceed HIPAA regulations, take care of backups in a secure data center, and protect data being transmitted between you and the server by using a secure, private platform that avoids the cluttered, public forum of the World Wide Web.

You can find out more about the differences between client-server technology and Internet-based technology here.

Privacy and security concerns are one of the many hurdles that the health care industry needs to overcome before EHR adoption catches on properly. Unfortunately, the sensible goal of making electronic health record systems interoperable (itself a complex task due to the huge variety of software solutions currently on the market) adds to these security headaches, because systems have differing levels and types of security, and security breaches in one system could, in an interoperable world, be even more serious and potentially compromise the whole nation’s records.

HIPAA (The Health Insurance Portability and Accountability Act) goes a long way to address many privacy and security concerns, but it leaves some important holes, which the Health IT Standards committee is currently seeking to address. Today, it endorsed a set of standards covering a range of security and privacy factors from access control and authentication to data integrity and document exchange. The full list of recommendations can be found here.

The idea is that these regulations are setting baselines that can be improved upon over the next few years, thus walking the fine line between being so stringent that they prevent development of compliant EHRs and hamper adoption, and yet still preventing widespread security breaches. For example, Kerberos/EUA authentication will not be allowed after 2011. This type of authentication is flawed because all users’ secret keys are stored on a central server, meaning a compromise of that one server will compromise all users. The reason it is allowed until 2011 is because some systems don’t even have enterprise-user authentication set up at the moment.

This prompts the obvious concern that hackers won’t do the sporting thing and wait till security is ramped up several years from now before trying to hack into systems. There are systems out there right now that contain patient data that are simply not secure, even by basic standards.

All of this rather worrying information provides a compelling argument that the industry should move away from the client-server model where physician practices are keeping patient information and charts on a server in the back room, to one in which technology professionals whose very job is to keep massive amounts of data safe are managing it all “in the cloud”.

Such technology companies – including Nuesoft – are likely to have security and privacy guidelines far in excess of what is mandated, because they have far more at stake in the event of a security breach. For a more technical discussion of what the HITSP standards mean and whether they are sufficient, you can read this balanced post written by a member of the HIT Standards Privacy and Security Committee.

Privacy and security concerns are one of the many hurdles that the health care industry needs to overcome before EHR adoption catches on properly. Unfortunately, the sensible goal of making electronic health record systems interoperable (itself a complex task due to the huge variety of software solutions currently on the market) adds to these security headaches, because systems have differing levels and types of security, and security breaches in one system could, in an interoperable world, be even more serious and potentially compromise the whole nation’s records.

HIPAA (The Health Insurance Portability and Accountability Act) goes a long way to address many privacy and security concerns, but it leaves some important holes, which the Health IT Standards committee is currently seeking to address. Today, it endorsed a set of standards covering a range of security and privacy factors from access control and authentication to data integrity and document exchange. The full recommendations can be found here.

The idea is that these regulations are setting baselines that can be improved upon over the next few years, thus walking the fine line between being so stringent that they prevent development of compliant EHRs and hamper adoption, and yet still preventing widespread security breaches. For example, Kerberos/EUA authentication will not be allowed after 2011.

This type of authentication is flawed because all users’ secret keys are stored on a central server, meaning a compromise of that one server will compromise all users. The reason it is allowed until 2011 is because some systems don’t even have enterprise-user authentication set up at the moment.

This prompts the obvious concern that hackers won’t do the sporting thing and wait till security is ramped up several years from now before trying to hack into systems. There are systems out there right now that contain patient data that are simply not secure, even by basic standards.

All of this rather worrying information provides a compelling argument that the industry should move away from the client-server model where physician practices are keeping patient information and charts on a server in the back room, to one in which technology professionals whose very job is to keep massive amounts of data safe are managing it all “in the cloud”.

Such technology companies – including Nuesoft – are likely to have security and privacy guidelines far in excess of what is mandated, because they have far more at stake in the event of a security breach. For a more technical discussion of what the HITSP standards mean and whether they are sufficient, you can read this balanced post written by a member of the HIT Standards Privacy and Security Committee.

There has recently been a spate of items in the news about breaches in the privacy of patient information. It seems that electronic records, while transforming the accessibility (not to mention legibility) of patient information, have also presented a new set of security headaches for practices and hospitals alike. It’s therefore essential for those health professionals considering automation or upgrading an old system to shop around for HIPAA-compliant practice management software that has advanced security measures, not only to protect patients from the mishandling of their identity and personal information, but also to protect physicians or their practices from litigation.

Tools to look out for include user-defined permissions, which allow administrators to give users different levels of access to data, and audit trails, which produce a permanent record of which authorized users accessed a patient’s chart at what time. Additionally, some application service provider (ASP) models feature better protection from hackers than others – those that are Internet-based (as opposed to Web-based) create a private platform between you and your data rather than channeling it through the very public forum of the World Wide Web.

 Technology can be misused and abused, but it can also be implemented as an effective tool to safeguard information privacy. Making sure your medical management system is secure will help prevent future lawsuits against you or your practice.

Most people that have objections to Internet-based software applications usually cite a lack of security as the reason. Particularly when it comes to applications that deal with protected health information (PHI), even some technology-savvy professionals feel safer if they have the server on-site under their control, with data only being transmitted on an internal network.

This feeling of security is, for the most part, illusory. Client servers located in offices or institutions rarely have the same level of security that ASPs are able to afford their servers due to economies of scale. Plus, having your server on-site means that you are responsible for maintaining it. Not only does this require extra resources, but it can be problematic if there’s a disaster – your on-site server is vulnerable to floods, tornadoes and fires in a way that good ASP servers are not, because they are usually situated at several diverse locations with data replicated across them. If a disaster befalls one of them, the other ones are still safe and so is your data.

Additionally, having to make your own data backups provides another opportunity for a security breach, as the University of Utah Hospitals & Clinics found out recently, when the backup tapes with medical billing information for 2.2 million patients went missing from a courier’s car. They could have taken a leaf out of the book of the university’s student health center, which unlike the hospitals and clinics division uses Nuesoft Xpress, an ASP model medical management and billing system, meaning their data remains secure and HIPAA compliant without university staff worrying about maintenance, backups or disasters.