Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/22/2011
12:04 PM
50%
50%

EHR Data In Cloud Needs Strong Security Trail

Presenters at a recent Legal EHR Summit warn healthcare providers to press their vendors for clear answers on security.

Healthcare Innovators
Slideshow: Healthcare Innovators
(click image for larger view andfor full slideshow)
With healthcare's unique information security requirements, the growth of cloud-based electronic health records (EHRs) is raising a number of new issues regarding data stewardship and organizational responsibility.

According to Gerard Nussbaum, director of technology services at management consultancy Kurt Salmon Associates, the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules do not specify whether a provider using a cloud-based EHR owns data in the medical records or if the information belongs to the service host. Speaking last week at the American Health Information Management Association (AHIMA) Legal EHR Summit in Chicago, Nussbaum recommended that healthcare providers explicitly negotiate data usage in contracts, particularly in case of a breach.

"Nothing is secure from breaches," noted Nussbaum, an attorney. Knowing this, he said it's best to "iron out up front" what each party's legal responsibility is in the event of a breach, such as who must notify individuals whose data may have been compromised.

Health information management consultant Sandra Nunn, who participated in a panel discussion on managing health information in the cloud, said she wants her clients to reach a clear understanding with their vendors about whether information will be sequestered in the cloud if there is a breach and whether there will be an easily accessible audit trail.

"Having multiple cloud vendors can complicate your situation," Nunn said. She surmised that it might be a good idea for providers to ask their vendors once or twice a year to create an audit log just to make sure it's possible.

This soon could become more urgent, based on a recent proposal from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In what is being called the "accounting for disclosures" rule, OCR has proposed changing existing HIPAA privacy standards to require "covered entities" to produce disclosure reports within 30 days of a patient's request, rather than the current 60 days.

Another panel member, Daniel Orenstein, senior VP and general counsel of EHR and physician business services provider Athenahealth, Watertown, Mass., said that he has never actually seen a patient request an accounting for disclosures. It would take a good amount a work on the provider end to compile the information, but EHRs are capable, whether in the cloud or on a local server. "We certainly can produce it," Orenstein said.

Athenahealth did not submit formal comments to HHS on the proposed accounting rule, according to Orenstein, but the company, which long has offered remotely hosted services, is emblematic of the way the health IT industry is shifting, particularly for small physician practices. A month ago, Athenahealth announced plans to acquire Proxsys, a provider of care-coordination services that links physicians and hospitals via the cloud, to beef up its health information exchange capabilities.

Because of this trend, Nussbaum said due diligence must be an ongoing process. Providers should, for example, be aware of how they would get their data back should they stop using a cloud-based EHR or simply switch vendors.

He recommended walking away from any vendor that refuses to run a security audit because it suggests that the vendor is not serious about transparency. "You have to do the security audit one way or another," Nussbaum said, even if it is through a third party.

Nussbaum also said to avoid "shrinkwrap" licenses that don't take into account individual customers' needs in HIPAA business associates agreements.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3278
PUBLISHED: 2021-01-26
Local Service Search Engine Management System 1.0 has a vulnerability through authentication bypass using SQL injection . Using this vulnerability, an attacker can bypass the login page.
CVE-2021-3285
PUBLISHED: 2021-01-26
jxbrowser in TI Code Composer Studio IDE 8.x through 10.x before 10.1.1 does not verify X.509 certificates for HTTPS.
CVE-2021-3286
PUBLISHED: 2021-01-26
SQL injection exists in Spotweb 1.4.9 because the notAllowedCommands protection mechanism is inadequate, e.g., a variation of the payload may be used. NOTE: this issue exists because of an incomplete fix for CVE-2020-35545.
CVE-2021-3291
PUBLISHED: 2021-01-26
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.
CVE-2021-3297
PUBLISHED: 2021-01-26
On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.