Risk
8/22/2011
12:04 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

EHR Data In Cloud Needs Strong Security Trail

Presenters at a recent Legal EHR Summit warn healthcare providers to press their vendors for clear answers on security.

Healthcare Innovators
Slideshow: Healthcare Innovators
(click image for larger view andfor full slideshow)
With healthcare's unique information security requirements, the growth of cloud-based electronic health records (EHRs) is raising a number of new issues regarding data stewardship and organizational responsibility.

According to Gerard Nussbaum, director of technology services at management consultancy Kurt Salmon Associates, the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules do not specify whether a provider using a cloud-based EHR owns data in the medical records or if the information belongs to the service host. Speaking last week at the American Health Information Management Association (AHIMA) Legal EHR Summit in Chicago, Nussbaum recommended that healthcare providers explicitly negotiate data usage in contracts, particularly in case of a breach.

"Nothing is secure from breaches," noted Nussbaum, an attorney. Knowing this, he said it's best to "iron out up front" what each party's legal responsibility is in the event of a breach, such as who must notify individuals whose data may have been compromised.

Health information management consultant Sandra Nunn, who participated in a panel discussion on managing health information in the cloud, said she wants her clients to reach a clear understanding with their vendors about whether information will be sequestered in the cloud if there is a breach and whether there will be an easily accessible audit trail.

"Having multiple cloud vendors can complicate your situation," Nunn said. She surmised that it might be a good idea for providers to ask their vendors once or twice a year to create an audit log just to make sure it's possible.

This soon could become more urgent, based on a recent proposal from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In what is being called the "accounting for disclosures" rule, OCR has proposed changing existing HIPAA privacy standards to require "covered entities" to produce disclosure reports within 30 days of a patient's request, rather than the current 60 days.

Another panel member, Daniel Orenstein, senior VP and general counsel of EHR and physician business services provider Athenahealth, Watertown, Mass., said that he has never actually seen a patient request an accounting for disclosures. It would take a good amount a work on the provider end to compile the information, but EHRs are capable, whether in the cloud or on a local server. "We certainly can produce it," Orenstein said.

Athenahealth did not submit formal comments to HHS on the proposed accounting rule, according to Orenstein, but the company, which long has offered remotely hosted services, is emblematic of the way the health IT industry is shifting, particularly for small physician practices. A month ago, Athenahealth announced plans to acquire Proxsys, a provider of care-coordination services that links physicians and hospitals via the cloud, to beef up its health information exchange capabilities.

Because of this trend, Nussbaum said due diligence must be an ongoing process. Providers should, for example, be aware of how they would get their data back should they stop using a cloud-based EHR or simply switch vendors.

He recommended walking away from any vendor that refuses to run a security audit because it suggests that the vendor is not serious about transparency. "You have to do the security audit one way or another," Nussbaum said, even if it is through a third party.

Nussbaum also said to avoid "shrinkwrap" licenses that don't take into account individual customers' needs in HIPAA business associates agreements.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web