Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Study: Auditing Cloud-Based EMR Providers A Good Idea

Posted on August 28, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Providers that use cloud-based EMRs should have an outside party audit the EMR before they begin using them in production, according to a Journal of Medical Internet Resesarch piece reported in iHealthBeat.

The study, which was conducted through a literature review of Medline sources and correspondence with with cloud EMR providers, found that auditing cloud service providers would prove a useful window into management information processes and allow for an apples-to-apples comparison of security features between different providers.

To ensure the privacy and security of cloud EMRs, providers should look into the following features, the study said :

*  Access monitoring
*  Data encryption
*  Digital signatures
*  Network security mechanisms
*  Role-based access

Even with a thorough audit, providers are likely to find holes in the EMRs’ security and management capabilities. The study’s authors note that cloud-based EMR management systems are “still under development.”

For that, healthcare providers thinking about moving their EMR to the cloud should implement a thorough security policy, including:

* Third party certification:  Cloud providers must be compliant with standard third-party requirements such as FISMA, ISO 27001, PCI DSS Level 1 and SAS70 Type II.

* Monitoring:  The provider should include automated monitoring tools to assure high levels of performance and system availability.

* Internal communications:  The cloud provider should use the platform as a communications channel keeping personnel up to date on everything that happens within the system.

Background checks: Providers must have strong policies to control user access, and require that employees accessing patient data agree to background checks.

* Physical security:  The data center should be strictly controlled and feature video surveillance, expert security staff, intrusion detection and other electronic monitoring.

These steps, along with other standard  protocols, should go a long way toward addressing any security questions about cloud EMRs. But it still seems like most healthcare facilities are paranoid enough about their cloud installations that they seldom discuss them in public. Though I suspect things will change over time, I think cloud installations are still suspect in the eyes of hospital CIOs.  Perhaps a research-backed blueprint for cloud security will reassure some.

EMR Security, Afghanistan EMR, and Regina Holliday EMR Video

Posted on August 26, 2012 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time once again for our roundup of interesting tweets from around the EMR twittersphere. We really go around the world with one of these tweets. Hopefully you find them useful and interesting.

I don’t think most of you know that I’m also working on a redesign of my websites. It’s still got a little ways to go, but I think it’s coming together nicely. It’s going to add some features I’ve wanted for a while and make the design look a lot better. I’ve had the current design for more than 6 years, so it was time. One of the best features of the new website is Twitter embeds. I can’t wait!

Without further ado, a few EMR and health IT tweets with some of my own commentary:

I always love when people talk about the huge EMR security risk. When you look at the breach list and the healthcare data security issues, EMR barely shows up. There are so many other security issues with medical practices that are much more vulnerable. Not that we should give EMR security a pass, but EMR security is likely one of the most secure things in a medical office. So, this is good advice.

I always love to hear how the military uses EMR. They use EMR in some of the most challenging places imaginable. I think we can learn a lot from their experiences.

I think this is a really interesting contest by ONC. I’m looking forward to see more of the videos that are created. My fear is that most of the videos will be EHR companies that push their power EMR users to make something. We’ll see how it turns out.

101 Tips to Make Your EMR and EHR More Useful – EHR Tips 11-15

Posted on December 13, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time for the next entry covering Shawn Riley’s list of 101 Tips to Make your EMR and EHR More Useful. I met someone at a conference who commented that they liked this series of posts. I hope you’re all enjoying the series as well.

15 Avoid multiple sign-ins if possible.
One thing seems abundantly clear to me: healthcare IT will be a heterogeneous environment. This is particularly true in the hospital world. Even the biggest behemoth of an HIS can’t satisfy all of the healthcare IT requirements of a hospital. So, getting a great SSO (single sign on) solution will be really important and turns out to be a great thing for your users and your help desk.

14 Make sure security is solid, but not prohibitive.
One thing about healthcare security and HIPAA that’s often misunderstood is that it should protect patient’s information, but it should also not get in the way of a clinician doing what they legitimately need to accomplish. Many security policies go too far and make legitimate healthcare work too hard. This is a huge mistake.

13 PDSA – Use it! Plan – Do – Study – Act
In this one, Shawn talks about the idea of continuous improvement which is a really good one. I also think far too many companies get stuck in the planning and do far too little doing and acting. All four steps of the process are important and useful, but don’t over think it either.

Lean isn’t about being cheap. Lean isn’t about providing substandard care. Lean is about spending where it matters most. It’s about focusing on what’s most important and creating value from the things you spend money on. I’d love to see more LEAN concepts used in healthcare.

11 Buy MORE printers
Yep! Printing increases dramatically with an EHR. Almost all those forms that you use to print in bulk will now be coming out of your printer. Also, just because somewhere is fully electronic doesn’t mean that they are paperless. Paperless is a mythical creature that will likely never be achieved in our lifetime. Make the printers accessible for your providers.

If you want to see my analysis of the other 101 EMR and EHR tips, I’ll be updating this page with my 101 EMR and EHR tips analysis. So, click on that link to see the other EMR tips.

Guest Post: ONC-ATCB ICSA Labs – The Future of EHR Testing Requires Security and Privacy Enhancements

Posted on August 25, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Post – Amit Trivedi – As the healthcare program manager for ICSA Labs, Amit Trivedi spearheads the lab’s overall efforts in the healthcare industry, including launching and managing the 2011/2012 Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB) certification program.

We all know there is no such thing as perfect security. All we can do is try to mitigate as many risks as possible. In this regard, there are areas related to information security that the current ONC-ATCB 2011/2012 (commonly referred to as meaningful use) certification testing does not yet address and that the health IT community should be aware of when implementing systems.

ICSA Labs is an Office of the National Coordinator-Authorized Testing and Certification Body (ONC-ATCB), designated to test both complete and modular electronic health record (EHR) technologies under the auspices of the federal government’s Temporary Certification Program. ICSA Labs has a history rich in the certification of security products. We have been testing security products and developing test criteria for more than two decades and we understand the importance of raising security awareness in the health IT community and helping Eligible Providers and Hospitals understand what meaningful use EHR certification testing does and doesn’t cover.

It is important to remember that regardless of the number of security features a product has, an incorrect or incomplete implementation can introduce vulnerabilities or compromise the security of the system. Certification testing can really only demonstrate that a product is capable of being used securely, not that its security can never be compromised.

Testing bodies must test products within the scope of approved test procedures. As an organization that has developed testing procedures and methodologies, we understand that there is a delicate balancing act when developing requirements so that general concepts and capabilities are covered by the testing, but the testing process is not designed so specifically as to stifle innovation in new products. As such, we recommend that end users and implementers be aware of these requirements when deploying ONC-ATCB 2011/2012 certified products.

Encryption Requirements Do Not Address the “What”

Consider the encryption requirements (criteria 170.302.u and 170.302.v). The current testing criteria require FIPS 140-2 level encryption. This an excellent way to require products to support some of the best levels of encryption available today, and that they are also in line with other federal encryption requirements.

One could compare encryption to a bank vault. You might purchase the most secure, unbreakable vault in the world, but if you don’t put your valuables in the vault, it won’t be of any help when there is a break-in. The current meaningful use testing procedures do not dictate what must be encrypted. Ultimately it falls to end users to make a determination as to how they want to implement security – hopefully basing the decision on a risk-based approach. Fortunately, meaningful use testing and certification follows a staged approach to getting from where we are today to where we’d like to be in the future. The meaningful use certification is planned to be rolled out in three stages. Right now, we are in the midst of Stage 1. Some recommendations to the ONC for Stage 2 security criteria include addressing things like encrypting data at rest (including data in datacenters and mobile devices) – something that is not part of the Stage 1 requirements.

Negative Testing Examines the Unexpected

Another area to highlight is related to negative testing, which is currently out of scope for ONC-ATCBs. The testing performed today relies on giving the EHR an expected input and verifying that the expected result is met. Negative testing, however, is the concept of giving unexpected or invalid inputs to a system and verifying receipt of an expected result (typically, that the data is not accepted or an error is generated that does not crash the system). Negative testing is common throughout ICSA Labs’ proprietary security testing programs and something we feel should be incorporated into future testing of EHR technologies under the ONC Certification program.

Consider the authentication and access control requirements (criteria 170.302.t and 170.302.o). Some of you may be aware of an old Unix bug that resulted in the operating system being unable to correctly support passwords over eight characters. If the password was 12 characters long, a user only needed to enter the first 8 characters to be allowed to login. This made password cracking on Unix servers much easier, and because the system allowed the entry of a longer password, most users were unaware of this limitation.

ICSA Labs has discovered the same or similar problems when testing products in our proprietary security certification programs, and the primary way we discover this is by negative testing. For example, we configure a password greater than eight characters, and then we attempt to login to the system using only the first eight characters. This should be treated as invalid by the system and rejected. However, the meaningful use EHR testing only tests that the system accepts valid passwords. There is no testing done on the system’s acceptance or rejection of invalid passwords.

The Future of EHR Testing Must Increase Security, Privacy

As we progress to the next stages of meaningful use certification, the requirements should begin to look at other areas of security, such as application testing for vulnerabilities like buffer overflows, SQL Injection, and cross-site scripting attacks. These are all examples of security testing best practices. In many instances, ONC has signaled its flexibility in allowing third-party products to complement functionality of EHR technologies, which means that not all of the functionality needs to be native to the product. This can allow EHR developers to focus on functionality that their customers are looking for, while at the same time keeping security as an important consideration in the product life cycle development.

It is our hope that future stages of meaningful use testing will raise the bar and specify how and when features like encryption should be used and the scope of testing will be expanded to include things like negative testing. As the meaningful use criteria evolve, it is critical that both the criteria and testing procedures are developed in ways that consider the long-term security and privacy of patient health records.  

The Top Three Things The Mass Media Does To Delay EMR Adoption

Posted on June 18, 2011 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Now that the government is pushing EMR use, the mainstream press has begun to report on the issue.

True, some astute editors are beginning to dig in to the problems that matter, such as securing patient data and challenges to getting physicians on board.

But most consumer publications, with their penchant for simplifying and condensing issues, are muddying the waters even further. Here’s some things they’re doing which, I’d argue, are actually slowing down the EMR adoption process:

*  Asking consumers whether they “want” an EMR: Let’s be honest: most consumers have only a vague idea of what an EMR is. You might as well ask them whether they’d like oh, I don’t know, a confoobatron. If they think those confoobatrons are supposed to be the latest thing in medicine, they’ll say sure, I’d want one of those!  In other words, you’re not giving doctors and hospitals real feedback as to how EMRs will foster relationships with their patients. It’s easy for clinicians to write off such responses as bogus and avoid adoption for a while longer.

* Focusing on a few spectacular security breaches: Yes, it’s really unfortunate that hospital staffers stole a peek at some Hollywood celeb’s medical data, or that a stolen laptop stocked with unencrypted data exposed patients at Hospital A to medical ID theft. But in playing up spectacular security breaches, mass media players distract everyone from the real issues. As we all know, most hospitals and doctors have far less glamorous problems to worry about, such as encrypting data, controlling access by role and seeing to it that staff are trained in security policies. But playing up a few disasters — such as stolen laptops or celebrity medical record leaks — makes it sound like security is beyond the reach of your average provider.

* Doing little to examine why physician adoption of EMRs is still low: While you will see the likes of USA Today look at abysmal EMR adoption rates, these stories usually collect a few random interviews with association heads or a random private practitioner and cite a few of their random headaches. These stories don’t dig into the really important issues (such as fear of productivity loss, lack of clinician buy in and techno-phobia) that are stopping the train. While doctors obviously read trade publications like this one, they’re human, and if the USA Today story they skimmed on the train doesn’t address their concerns, it’s easy to stay tuned out on EMRs for a while longer.

OK, maybe I’m being a bit unfair here.  Having been an editor for decades, I know the mass media can’t take the place of blogs like this that focus on serious professional issues. But I still wish that my colleagues in the consumer press would give EMR issues as much serious thought as, say, professional football. Wouldn’t that be refreshing?