Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

EHR Hosting Demystified – What to Look For (and Look Out For), on Your Way to the Healthcare Cloud

Posted on March 15, 2016 I Written By

The following is a guest blog post by Joe Cernik from eMedApps.

As I write this post I’m trying to reach the cloud. I’m on my third-in-a-row delayed flight segment on this week’s business trip – ARGH!  Ascending to the cloud these days is mostly easy though. My music is there, as are my photos, bank accounts and even my fitness stats collected on my wrist while I’m jogging or while I’m sleeping. Cloud computing has become ubiquitous and healthcare has embraced the transition. Health IT vendors are rapidly migrating EHR, PM and RCM solutions from client-server formats to on-demand, pay-as-you-go cloud hosted solutions.

According to healthcare analyst IDC, organizations that use on-site data storage spend 32% more on IT support than organizations that use an outside hosting provider. From infrastructure costs of servers and support staff to application deployment and ongoing maintenance costs, on-premises software can be a high-touch, high-cost model. Most EHRs are either in the cloud today, or claim cloud compatibility. The cloud promises scalability, interoperability and business continuity – but where do you start to evaluate solutions and define your own path to the cloud?  Here are a few basics to get you going.

Ready, set, cloud….

Step 1: Understand hosting and cloud approaches and determine which type is right for you.

Insourced Hosting: A model also called managed services, managed client-server, or managed on-site hosting, where the hosting vendor provides end-to-end management of your complete EHR/PM system including the hardware and software systems installed at your facility. In essence, your hosting vendor becomes a member of your team, in-house, and manages the infrastructure that you own – generally in a client-server configuration. You’re not in the cloud yet, but this may be a first step in that direction if you’re ready to get out of the EHR/PM management business.

Outsourced Hosting: Also called remote hosting, hosted off-premise, and cloud hosting, outsourced EHR hosting locates your critical EHR/PM applications in a datacenter facility – outside of your LAN-based practice or clinic. EHR and patient data is stored on remote servers accessed via secure Internet connections. Fully outsourced remote hosting shifts the expense of procuring, managing and maintaining your EHR application and servers from your facility and your IT team to a fully managed datacenter. Servers are owned, managed, and refreshed by the hosting company.  Now, you’re in the cloud.

Hybrid Model Hosting: Also called hosted client/server in the cloud and managed hosting, this model allows your organization to place your servers into a secure datacenter. This hybrid model between insourced hosting and outsourced hosting allows your organization to leverage existing capital investments in servers and investments in EHR application licenses, but moves the ongoing management and maintenance of this infrastructure investment to an internet accessible, secure remote site. Rather than installing and managing your application on a server in your office, the installation is managed on your server(s) in a controlled data center environment. Your users log into your remote server through a web browser.

Step 2: Understand Compliance and Regulatory Considerations (HIPAA, PHI, MU) Before You Sign a Contract

Your EHR hosting partner should be an EHR application expert, have demonstrable hosting expertise, and meet all regulatory and security protocols.  While this statement may seem obvious, note that no matter which type of hosting solution you consider or eventually adopt, your hosting provider and their facilities must meet all physical, procedural, operational, and technical readiness criteria established for hosting of protected healthcare data. Make certain to evaluate partners for compliance with all HIPAA/HITECH rules and, for outsourced or hybrid solutions, SOC 2 Type II and SOC 3 centers with certificates including: PCI DSS Level 1 and SSAE 16.

Step 3: Evaluate the Costs

Because there is no upfront cost for the software, and an organization is not required to buy a server, a cloud-based EHR may be less expensive than the onsite client/server setup. If one of your greatest hurdles to adopting an EHR is the initial cost of installation, an outsourced hosting model may be worth considering.

Some practices may also prefer to view their EHR expenses as a recurring operational expense (similar to a utility bill) rather than a capital investment. If your practice or clinic has already invested in on-premises infrastructure but want to consider a move to an outsourced hosting model, a hybrid approach may be a good first step with a full transition to an operational expense model on your next hardware refresh cycle.

Models vary among hosting vendors, and some vendors offer contract terms and conditions that offer hosting packages tailored to your revenue projections or offer low introductory pricing that increases over time. Variable models should be evaluated over a five-year cost-of-ownership timeframe to accurately compare costs across vendor plans.

Clear the fog…move to the cloud.

The way organizations procure and deploy IT infrastructure is undergoing a significant transformation. Don’t be confused by the transition – cut through the fog and get to the facts on a hosting solution that will help you meet your business AND patient care goals.  That solution may include ascending to the cloud – there’s a lot of great music already there. Now, let’s see if my plane will make it into another type of cloud today.

Epic Tries To Open New Market By Offering Cloud Hosting

Posted on November 26, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

When you think of Epic, you hardly imagine a company which is running out of customers to exploit. But according to Frost & Sullivan’s connected health analyst, Shruthi Parakkal, Epic has reached the point where its target market is almost completely saturated.

Sure, Epic may have only (!) 15% to 20% market share in both hospital and ambulatory enterprise EMR sector, it can’t go much further operating as-is.  After all, there’s only so many large hospital systems and academic medical centers out there that can afford its extremely pricey product.

That’s almost certainly why Epic has just announced  that it was launching a cloud-based offering, after refusing to go there for quite some time.  If it makes a cloud offering available, note analysts like Parakkal, Epic suddenly becomes an option for smaller hospitals with less than 200 beds. Also, offering cloud services may also net Epic a few large hospitals that want to create a hybrid cloud model with some of its application infrastructure on site and some in the cloud.

But unlike in its core market, where Epic has enjoyed incredible success, it’s not a lock that the EMR giant will lead the pack just for showing up. For one thing, it’s late to the party, with cloud competitors including Cerner, Allscripts, MEDITECH, CPSI, and many more already well established in the smaller hospital space. Moreover, these are well-funded competitors, not tiny startups it can brush away with a flyswatter.

Another issue is price. While Epic’s cloud offering may be far less expensive than its on-site option, my guess is that it will be more expensive than other comparable offerings. (Of course, one could get into an argument over what “comparable” really means, but that’s another story.)

And then there’s the problem of trust. I’d hate to have to depend completely on a powerful company that generally gets what it wants to have access to such a mission-critical application. Trust is always an issue when relying on a SaaS-based vendor, of course, but it’s a particularly significant issue here.

Why? Realistically, the smaller hospitals that are likely to consider an Epic cloud product are just dots on the map to a company Epic’s size. Such hospitals don’t have much practical leverage if things don’t go their way.

And while I’m not suggesting that Epic would deliberately target smaller hospitals for indifferent service, giant institutions are likely to be its bread and butter for quite some time. It’s inevitable that when push comes to shove, Epic will have to prioritize companies that have spent hundreds of millions of dollars on its on-site product. Any vendor would.

All that being said, smaller hospitals are likely to overlook some of these problems if they can get their hands on such a popular EMR.  Also, as rockstar CIO John Halamka, MD of Beth Israel Deaconess Medical Center notes, Epic seems to be able to provide a product that gets clinicians to buy in. That alone will be worth the price of admission for many.

Certainly, vendors like MEDITECH and Cerner aren’t going to cede this market gracefully. But even as a Johnny-come-lately, I expect Epic’s cloud product do well in 2015.

From 5 EHR to the Cloud, EMR Is Just a Tool, Startups to Improve EMR Usability

Posted on February 16, 2014 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is a big preview of coming attraction. EHR vendors are going to have to be ready for this type of EHR purchase going forward. Well, maybe not 5 EHR, but it could be close to as complex. Add in all of the practice acquisitions and the EMR switching is happening.

This is a good reminder. EMR is a tool and how you use it determines its real value.

The real question is whether the EMR systems will allow it or at least which EMR vendors will support it. If they don’t, startups won’t be able to do much. Even if they do open it, I’m still not confident that a startup built on top of today’s EMRs can solve what pains EMR.

Study: Auditing Cloud-Based EMR Providers A Good Idea

Posted on August 28, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Providers that use cloud-based EMRs should have an outside party audit the EMR before they begin using them in production, according to a Journal of Medical Internet Resesarch piece reported in iHealthBeat.

The study, which was conducted through a literature review of Medline sources and correspondence with with cloud EMR providers, found that auditing cloud service providers would prove a useful window into management information processes and allow for an apples-to-apples comparison of security features between different providers.

To ensure the privacy and security of cloud EMRs, providers should look into the following features, the study said :

*  Access monitoring
*  Data encryption
*  Digital signatures
*  Network security mechanisms
*  Role-based access

Even with a thorough audit, providers are likely to find holes in the EMRs’ security and management capabilities. The study’s authors note that cloud-based EMR management systems are “still under development.”

For that, healthcare providers thinking about moving their EMR to the cloud should implement a thorough security policy, including:

* Third party certification:  Cloud providers must be compliant with standard third-party requirements such as FISMA, ISO 27001, PCI DSS Level 1 and SAS70 Type II.

* Monitoring:  The provider should include automated monitoring tools to assure high levels of performance and system availability.

* Internal communications:  The cloud provider should use the platform as a communications channel keeping personnel up to date on everything that happens within the system.

Background checks: Providers must have strong policies to control user access, and require that employees accessing patient data agree to background checks.

* Physical security:  The data center should be strictly controlled and feature video surveillance, expert security staff, intrusion detection and other electronic monitoring.

These steps, along with other standard  protocols, should go a long way toward addressing any security questions about cloud EMRs. But it still seems like most healthcare facilities are paranoid enough about their cloud installations that they seldom discuss them in public. Though I suspect things will change over time, I think cloud installations are still suspect in the eyes of hospital CIOs.  Perhaps a research-backed blueprint for cloud security will reassure some.

The Sneaky Healthcare Cloud

Posted on April 11, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Folks, I’ve read countless reports about the growing emergence of the cloud in healthcare. The thing is, many are studies summarizing broad trends in the industry, rather than news about specific providers who are willing to stand up and say that they actually implemented a cloud solution to house their healthcare data.

If hospitals and health systems are indeed adopting cloud solutions, why aren’t we hearing more about their experiences?  I have a few theories:

*  Migration:  Organizations that move from a legacy data management system to a cloud-based infrastructure have a lot of work to do. These folks probably don’t want to discuss what they’re doing until they’re pretty sure they’ve gotten the job done right.

Outsourcing:  Some healthcare leaders are outsourcing their cloud operations, but they’re not ready to scream to the rooftops that they’ve done so. My feeling is that they want to feel more confident about the relationship before they broadcast what they’re doing.

Security:  If a healthcare facility goes with the cloud, IT leaders there are probably pretty comfortable with cloud security, but I’m sure they don’t want to invite cybercriminals to put them to the test.

Politics:  Implementing the cloud for clinical data management may be a perfectly fine solution, but perhaps those facilities who have gone that way would rather not face criticism from outsiders who don’t agree with them.

Ultimately, the debates over cloud security may die.  As David Linthicum of HealthDataManagement notes, studies suggesting that even the public cloud can be secure are rolling in. (A recent study cited by Linthicum concludes that anything that can be accessed from outside, be it enterprise or cloud infrastructure, has an equal chance of being attacked.)

But for the time being, it seems pretty clear that hospitals aren’t going to hang out banners on their campus boasting about their cloud data infrastructure. Let’s see what happens over the next year or two.