Are Web Based Electronic Medical Records Secure?

In an earlier post we examined how health care organizations are increasingly investing in clinical information systems( aka EMR) and, the benefits from such a system. As these systems have evolved, vendors(like with other application software) are increasingly migrating to a web based or online EMR systems. For as little as $500/month some vendors offer a full featured EMR system for physician offices, providing advanced features such as charting, drug interactions, etc.

While some physician offices and provider groups have bought into this (partly because they require considerably lower investment than desktop based EMR software), there is still a lot of skepticism. Just as with any other new technology questions are being directed at the security of data on such systems. This is amplified due to sensitive patient data and, payment information residing in such systems.

Houston Neal at SoftwareAdvice, recently told us about his article on the double standards that exist in healthcare when it comes to evaluating the security of web based Electronic Medical Records (EMR) systems. He notes that vendors of such web based EMR software put in considerable resources and efforts to secure data exchange, data storage and, data integrity.

How Vendors secure medical data in web based EMR

To protect data transmitted between a physician office and the server, vendors use HIPAA-compliant data encryption technologies, the standard being 128-bit secure socket layer (SSL) encryption. The servers are powered with firewalls to block illegitimate traffic, and intrusion detection systems to monitor when someone tries to hack the system. In addition, vendors safeguard the data center where the server exists, storing the server in a highly secure compartment with un-interruptible power, air filtration and advanced fire suppression systems. At the physician’s office, software will have permission settings for each user, allowing them to access the EMR only during specified hours and days of the week.

While there are definitely some valid unanswered questions about security and HIPAA compliance of such systems, it does look like many of the questions are being answered by the top quality software vendors.

Now, we wonder how many exisiting health care providers or even large acute care hospitals currently have such sophisticated secure data centers ? We will leave that question as food for thought.