Tips for cloud-based EHR security

When deciding on the choice of an electronic health record (EHR) solution for an independent practice, the provider will need to choose between a server-based system and a cloud-based system. With cloud-based EHR systems, data is stored on external servers and can be accessed with any device that has an internet connection, while server-based EHR systems store data within the practice on a personal server. Cloud-based EHRs are more secure by their very nature but there is still a need to put measures into place. Here are some tips for cloud-based EHR security.

The cloud-based EHR server is created and managed by the provider, which means that the vendor is more likely to meet HIPAA patient information confidentiality standards. Cloud-based servers are initiating careful and tactical efforts (such as conducting risk analyses, encrypting data, etc.) to assure that a patient’s electronic personal health information (ePHI) is kept safe and private.

Many describe the security of cloud-based servers as “achieving HIPAA compliance with bank-level security and high-level encryption methods.” Thus, these SAAS providers can be trusted to keep patient ePHI safe. In addition, cloud-based systems will not experience system crashes like a server-based system does. This means that in cloud-based systems, providers will always have access to patient information, even in critical moments.

In addition, cloud-based systems are operated by external SAAS providers, so practices utilizing these systems can be assured that they are always operating on up-to-date servers as automatic updates exist within cloud-based EHR systems. Users then are likely to always be utilizing the most current version of the system, allowing for the ease and capability of staying in compliance with federal security guidelines.

The Office of the National Coordinator for Health Information Technology (ONC) advises that exchanging patient information electronically, submitting claims electronically, generating electronic records for patients’ requests, and e-prescribing are all examples of online activities that rely on cybersecurity practices to safeguard systems and information, particularly since an Internet connection is a necessity to conduct the many online activities that can be part of EHR and ePHI use.

Cybersecurity refers to ways to prevent, detect, and respond to attacks against or unauthorized access against a computer system and its information. Cybersecurity protects patient and practice information, or any form of digital asset stored in a computer or in any digital memory device. It is important to have strong cybersecurity practices in place to protect patient information, organizational assets, practice operations, and personnel, and of course to comply with the HIPAA Security Rule.

The Cloud Security Alliance (CSA) recently identified many of the top cybersecurity concerns that were “directly in the user’s control,” including:

  • Identity and access management
  • Cryptography
  • Configuration management
  • Poor coding practices
  • Ignoring cloud direction.

The Health Information Management Working Group of the CSA recently also released guidance regarding the growing threat of ransomware in the healthcare cloud. Their report is intended to be used in conjunction with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

The report states that “Due to the nature of public cloud, where the underlying infrastructure is secured and managed by the cloud service provider, many customers incorrectly assume that the threat of ransomware in the cloud is less than in a private data center.”

The NIST Cybersecurity Framework identifies five cybersecurity cornerstones for organizations to use to mitigate risk:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

CSA’s report follows the same structure, recommending that healthcare organizations identify and classify all of their IT systems, data, and software, allowing them to prioritize cybersecurity efforts and aid in response and recovery. The report states that “Prevention is the best defense against ransomware, and it is essential to implement controls for protection. To protect an organization’s cloud from ransomware, the place to start is with protecting the computer.”

Toward that goal, CSA recommends:

  • Installing endpoint protection
  • Filtering incoming and outgoing emails to detect threats
  • Employing network segmentation to ensure separation between it and networked medical devices.