Back to Blog

Cloud-Based EMR Vendors and Patient Data Security

22 April 2014

According to a 2012 report published by the Centers for Disease Control, in 2011 41% of the office-based physicians who used electronic medical records were using a cloud-based EMR. The lower cost, security against media theft and ease of sharing information between medical personnel and institutions will ensure more medical practitioners adopt cloud-based EMR systems, but practitioners must choose their EMR vendor carefully.

In a January 2013 interview with a FierceEMR reporter, Patient Privacy Rights founder Deborah Peel, M.D. said some EMR vendors are not even aware they had to comply with HIPAA and sign business associate agreements. These vendors may not be performing required steps such as audit trails, risk analysis and even taking basic security precautions. Some do not even encrypt the data. According to Peel, “Doctors and hospitals are using cloud services [for their EHRs] without any idea if their data is protected.”

DHHS Steps Up Enforcement

While legislation has not caught up to technology, the number of investigations by the Department of Health and Human Services has increased over the years since HIPAA went into affect. In 2004 there were 4,799 resolutions and 1,393 investigations. In 2011, there were 8,730 and 3,898 respectively. Even small medical businesses aren’t exempt. Hospice of Northern Idaho was ordered to pay a $50,000 settlement in January 2013 after the 2010 theft of an unencrypted laptop breached the privacy of fewer than 500 patients.

Theft of unencrypted computers, portable devices and media used to store patient records still makes up the majority of security incidents. Cloud-based EMR does not suffer from this problem, since the data is stored on a remote server instead of directly on the device. If the device is lost or stolen, all the business has to do is change the access information for the user’s account.

Hackers and Patient Records

In the past medical practitioners have assumed their systems were too small, obscure or lacked financial rewards for hackers. This cloak of obscurity is shrinking rapidly thanks to a specialized search engine called Shodan. It scans the web for connected devices and dumps the results into a searchable database anyone can access. Shodan allowed a white hat hacker to locate and access a wireless patient glucose monitor in Wisconsin, and a University of Florida security researcher to find a Phillips virtual access system used for fetal monitoring.

While small practices have not been singled out by hackers, cyber attacks from hackers looking for personal identification information have hit larger health institutions. On March 30th, a hacker traced to Eastern Europe broke into the Utah Health Department database of 780,000 Medicaid patients and stole an unknown number of social security numbers.

Size Doesn’t Matter

Small practices cannot rely on their size to protect them from prosecution. In response to the Hospice of Northern Idaho case, HHS Office for Civil Rights Director Leon Rodriguez stated, “This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

The Role Of Your EMR Vendor

The benefits cloud storage offers to patients and physicians are undeniable, but the role of the EMR vendor in protecting patient privacy is a concern that many practitioners overlook. To avoid potential security breaches and fines, it’s essential for small offices to choose an EMR vendor that knows and complies with the law.

ZH Healthcare appreciates the importance of security in the EMR vendor decision-making progress. ZH Healthcare addresses security and patient data security in three areas.  First, we make every attempt to be compliant with all laws and regulations in our processes. We review updates to applicable laws, and update our agreements and supporting documentation on an on-going basis in order to remain current with these governing regulations.  In order to safeguard patient data, we utilize a highly secure and HIPAA compliant cloud service provider, which provides both physical and access level security.   In addition, ZH Healthcare participates on the OpenEMR Board where application level security of patient health records is an organization commitment.

For more information regarding ZH Healthcare OpenEMR cloud and security approach here