Are EHR’s Secure?
The short answer is yes, but the level of security depends on how your EHR is hosted. If it’s cloud-based, there are many failsafe measures in place to protect your clinic and patient data. On-premises solutions, on the other hand, are less advanced and don’t have the capabilities to stay current with security, performance, and reliability.
Whether a clinic’s data is hosted on-premises or in a cloud environment, hackers will try to find a way to ruin your day. Recovering from an attack can be significantly more challenging for on-premises users. Let’s discuss two real-life scenarios we’ve encountered.
On-Premises Electronic Health Record Security
Scenario #1 – Clinic’s main server infected during a ransomware attack
In the middle of the night, a ransomware virus infected a clinic’s main server, encrypting any file that was not actively in use. Fortunately, the SMART database was in use at that time and thus impervious to infection or alteration. Had it not been in use, SMART would have also been susceptible to the virus. They were able to copy their SMART data to a secure location and restore their entire server from a snapshot made the night before. If the virus had affected their SMART database or if a server backup wasn’t available, the results would have been very different – the clinic would be forced to pay the ransom for a decryption key or lose an entire day’s worth of data.
Scenario #2 – Clinic’s entire server and workstations infected by a ransomware virus
A different clinic got hit quite a bit harder. A ransomware virus infected their workstations and their entire server. This affected their main SMART folder and database. Next, it spread to their external backup device encrypting all previous backups.
The clinic had two choices – they could either pay the ransom and hope to get a decryption key or start from scratch with a blank database. At this point, they did not have access to SMART for over two days. If they could not decrypt the data, they wanted to be ready to start from scratch. SMART worked with the clinic to help build out a new server. After two days, they finally received the decryption key and access to their files. In total, they were unable to use SMART for four whole business days.
This was a frustrating and time-consuming situation for both organizations. On-premises users are responsible for recovering from these attacks. Not only must they worry about getting SMART back up and running, but they also must repair and restore any infected workstations.
How cloud-based EHR protects patient healthcare data
Security concerns with cloud-based users are much different. Since SMART’s Cloud launched in 2016, there have been zero attacks on cloud partners. It is important to note that if a virus infects a cloud-based user, there is still a chance of unauthorized patient information access. However, the odds of this occurring are far less likely because of the separation between user and data as well as the inherent stringent cloud security measures.
The fact of the matter is that cloud security is far more advanced than traditional on-premise tactics. Choosing a cloud-hosted environment means increased security, period. Security is one of the greatest benefits of moving to the cloud along with uniformity, operational cost savings, and scalability. Learn more in this article’s top ten benefits list.
SMART has several layers of security that protect all data stored in the cloud.
Virtual Private Cloud (VPC)
The first layer is the Virtual Private Cloud (VPC). Data is stored in an encrypted environment. Only SMART data can pass in and out of this environment. Custom-built firewall rules allow us to prevent unwanted access.
SMART Dedicated Servers
The servers that run SMART in the cloud are “purpose-built”; they run SMART only. This prevents the risk of end users downloading malicious files from the internet. If a user opens a bad email or web link, only their computer will be affected.
In a shared environment, downloading a bad file or opening a malicious email can cause a virus to spread throughout the organization bringing productivity to a halt.
Amazon Aurora provides point-in-time recovery for cloud-based customers. In the unlikely event that a database restore is necessary, the latest backup is no more than 7 minutes old with the next-oldest full database backup being from the previous night.
SMART maintains one year of daily database backups and migrates older backups to the AWS Glacier for long-term retention. Specific data is retrievable from any of the available backup copies. *A fee applies for this service.
Trend Micro is a leader in providing cloud system and application security. This solution equips our servers with antivirus and malware protection, as well as intrusion detection, file integrity monitoring, and vulnerability scanning.
Armor Cloud Security
SMART has teamed up with ARMOR to take our cloud security to the next level. ARMOR provides SMART with Security-as-a-Service.
A team of security engineers constantly monitor the environment responding immediately to potential threats and provide recommendations based on the latest developments in cloud security. Their expertise in the security field helps prevent attacks before they happen. They were able to detect and prevent the WannaCry virus two months before it spread worldwide. Armor allows SMART to focus on delivering the best application experience while also providing an industry leading security solution.
Best EHR Security Measures
In conclusion, the best EHR security measure that you can take is to choose a cloud-hosted environment. In the event of an attack, cloud-based EHR users are only responsible for their local environment’s security. SMART takes ownership of getting the EHR back up and running.