Study: Auditing Cloud-Based EMR Providers A Good Idea

Posted on August 28, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Providers that use cloud-based EMRs should have an outside party audit the EMR before they begin using them in production, according to a Journal of Medical Internet Resesarch piece reported in iHealthBeat.

The study, which was conducted through a literature review of Medline sources and correspondence with with cloud EMR providers, found that auditing cloud service providers would prove a useful window into management information processes and allow for an apples-to-apples comparison of security features between different providers.

To ensure the privacy and security of cloud EMRs, providers should look into the following features, the study said :

*  Access monitoring
*  Data encryption
*  Digital signatures
*  Network security mechanisms
*  Role-based access

Even with a thorough audit, providers are likely to find holes in the EMRs’ security and management capabilities. The study’s authors note that cloud-based EMR management systems are “still under development.”

For that, healthcare providers thinking about moving their EMR to the cloud should implement a thorough security policy, including:

* Third party certification:  Cloud providers must be compliant with standard third-party requirements such as FISMA, ISO 27001, PCI DSS Level 1 and SAS70 Type II.

* Monitoring:  The provider should include automated monitoring tools to assure high levels of performance and system availability.

* Internal communications:  The cloud provider should use the platform as a communications channel keeping personnel up to date on everything that happens within the system.

Background checks: Providers must have strong policies to control user access, and require that employees accessing patient data agree to background checks.

* Physical security:  The data center should be strictly controlled and feature video surveillance, expert security staff, intrusion detection and other electronic monitoring.

These steps, along with other standard  protocols, should go a long way toward addressing any security questions about cloud EMRs. But it still seems like most healthcare facilities are paranoid enough about their cloud installations that they seldom discuss them in public. Though I suspect things will change over time, I think cloud installations are still suspect in the eyes of hospital CIOs.  Perhaps a research-backed blueprint for cloud security will reassure some.