Posts

Cloud-vs-onpremises-EHR

Electronic Health Record Security | Cloud Vs. On-Premises OTPs

Cloud-vs-onpremises-EHR

Are EHR’s Secure? 

The short answer is yes, but the level of security depends on how your EHR is hosted. If it’s cloud-based, there are many failsafe measures in place to protect your clinic and patient data. On-premises solutions, on the other hand, are less advanced and don’t have the capabilities to stay current with security, performance, and reliability.

Whether a substance abuse treatment clinic’s data is hosted on-premises or in a cloud environment, hackers will try to find a way to ruin your day. Recovering from an attack can be significantly more challenging for on-premises users. Let’s discuss two real-life scenarios we’ve encountered.

On-Premises Electronic Health Record Security 

Scenario #1 – Clinic’s central server infected during a ransomware attack

In the middle of the night, a ransomware virus infected a clinic’s central server, encrypting any file that was not actively in use. Fortunately, the SMART database was in use at that time and thus impervious to infection or alteration. Had it not been in use, SMART would have also been susceptible to the virus. They were able to copy their SMART data to a secure location and restore their entire server from a snapshot made the night before. If the virus had affected their SMART database or if a server backup wasn’t available, the results would have been very different – the clinic would be forced to pay the ransom for a decryption key or lose an entire day’s worth of data.

Electronic Health Record Security | On-Premises

Scenario #2 – Clinic’s entire server and workstations infected by a ransomware virus

A different clinic got hit quite a bit harder. A ransomware virus infected their workstations and their entire server. This affected their main SMART folder and database. Next, it spread to their external backup device encrypting all previous backups.

The clinic had two choices – they could either pay the ransom and hope to get a decryption key or start from scratch with a blank database. At this point, they did not have access to SMART for over two days. If they could not decrypt the data, they wanted to be ready to start from scratch. SMART worked with the clinic to help build out a new server. After two days, they finally received the decryption key and access to their files. In total, they were unable to use SMART for four whole business days.

This was a frustrating and time-consuming situation for both organizations. On-premises users are responsible for recovering from these attacks. Not only must they worry about getting SMART back up and running, but they also must repair and restore any infected workstations.

How cloud-based EHR protects patient healthcare data 

Security concerns with cloud-based users are much different. Since SMART’s Cloud launched in 2016, there have been zero attacks on cloud partners. It is important to note that if a virus infects a cloud-based user, there is still a chance of unauthorized patient information access. However, the odds of this occurring are far less likely because of the separation between user and data as well as the inherent stringent cloud security measures.

The fact of the matter is that cloud security is far more advanced than traditional on-premise tactics. Choosing a cloud-hosted environment means increased security, period. Security is one of the most significant benefits of moving to the cloud, along with uniformity, operational cost savings, and scalability. Learn more in this article’s top ten benefits list.

patient-profiles- Electronic Health Record Security

SMART has several layers of security that protect all data stored in the cloud.

Virtual Private Cloud (VPC)

The first layer is the Virtual Private Cloud (VPC). Data is stored in an encrypted environment. Only SMART data can pass in and out of this environment. Custom-built firewall rules allow us to prevent unwanted access.

SMART Dedicated Servers

The servers that run SMART in the cloud are “purpose-built”; they run SMART only. This prevents the risk of end-users downloading malicious files from the internet. If a user opens a bad email or web link, only their computer will be affected.

 

In a shared environment, downloading a corrupt file or opening a malicious email can cause a virus to spread throughout the organization bringing productivity to a halt.

Amazon Aurora

Amazon Aurora provides point-in-time recovery for cloud-based customers. In the unlikely event that a database restore is necessary, the latest backup is no more than 7 minutes old with the next-oldest full database backup being from the previous night.

SMART maintains one year of daily database backups and migrates older backups to the AWS Glacier for long-term retention. Specific data is retrievable from any of the available backup copies. *A fee applies for this service.

Trend Micro

Trend Micro is a leader in providing cloud system and application security. This solution equips our servers with antivirus and malware protection, as well as intrusion detection, file integrity monitoring, and vulnerability scanning.

 

Armor Cloud Security

SMART has teamed up with ARMOR to take our cloud security to the next level. ARMOR provides SMART with Security-as-a-Service.

A team of security engineers continuously monitor the environment responding immediately to potential threats and provide recommendations based on the latest developments in cloud security. Their expertise in the security field helps prevent attacks before they happen. They were able to detect and prevent the WannaCry virus two months before it spread worldwide. Armor allows SMART to focus on delivering the best application experience while also providing an industry-leading security solution.

Best EHR Security Measures 

In conclusion, the best EHR security measure that you can take is to choose a cloud-hosted environment. In the event of an attack, cloud-based EHR users are only responsible for their local environment’s security. SMART takes ownership of getting the EHR back up and running. Learn more about SMART’s Cloud-Based EHR Software.

How Does HIPAA Impact Electronic Health Records and End Users?

How SMART’s EHR Helps with HIPAA Compliance

How-SMART’s-EHR-Helps-with-HIPAA-Compliance

Privacy and Security Rules

HIPAA affects both EHRs and end-users. There are precise rules and regulations about the sharing and storing of electronically protected health information (ePHI) that, if broken, can result in civil violations, criminal penalties, hefty fines, and even jail time. The following details the best ways to safely store PHI and the responsibilities of treatment programs and EHRs like SMART.  

Let’s start by looking at HIPAA’s two primary rules: 

  1. The Privacy Rule: This establishes standards for the protection of individuals’ medical records and other personal health information.
  2. The Security Rule: This requires appropriate administrative, physical, and technical safeguards to ensure confidentiality, data integrity, and the security of electronically protected health information (ePHI). 

    EHRs responsibility under HIPAA 

    As a cloud-based EHR provider, SMART is responsible for addressing many of the Privacy Rule provisions and all the provisions of the Security Rule. These provisions include securing, encrypting, and backing up our Partners’ ePHI to ensure its security and integrity, and by periodically testing our readiness for possible threats. 

    We accomplish this by performing routine, thorough Security Risk Assessments to ensure we are appropriately safeguarding all ePHI we receive, maintain, transmit, or process on behalf of treatment providers. 

    Performing Security Risk Assessments 

    How-Does-HIPAA-Impact-Electronic-Health-Records-and-End-Users-

    Understanding how to address HIPAA requirements begins with a full Security Risk Assessment, defined by HIPAA as “a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic health information.” (1) 

    The following questions are adapted from NIST Special Publication (SP) 800-66. These are examples of what you should consider as part of the analysis: 

    1. Have you identified all the e-PHI within your organization, including e-PHI you create, receive, maintain, or transmit?  
    2. What are the external sources of e-PHI? In other words, do your vendors or consultants create, receive, maintain, or transmit e-PHI?  
    3. What are the human, natural, and environmental threats to information systems that contain e-PHI?  

        How does HIPAA Affect Addiction Treatment Providers?

        As covered entities, treatment providers are responsible for addressing all provisions of both the Privacy Rule and the Security Rule. Many of the Privacy Rule requirements must be addressed outside the realm of the EHR itself, such as having a sound set of HIPAA policies, providing training to all workforce members, posting notices, and supporting the patients’ rights granted by HIPAA. 

        To ensure compliance, consider the answers to the three questions listed above to ensure that all your e-PHI is protected against any reasonably anticipated threats and vulnerabilities. Doing this will help to protect both your organization and your patients. 

        Storing Protected Health Information (PHI)

        Cloud-vs-onpremises-EHR

        Electronic vs. paper health records

        Do you process every document in your clinic electronically, or are you still hanging on to those paper charts? Electronically entering, searching, and storing data makes being audit-ready and HIPAAcompliant much more manageable.  

        There are three main benefits to being 100% paperless. The first is organizational efficiency; being electronic helps ensure that staff has access to the same up-to-the-minute patient information at the same time. Next, you can implement quality control processes like providing forms standardization and auto-scheduling regulatory services. And finally, improve data collection standards by creating service type templates with required questions built-in

        Cloud vs. on-premises hosting

        Beyond just electronic data processing, how you host your data is incredibly vital to data security. Moreover, cloud-hosted solutions, by-far, provide better security capabilities than traditional on-premises hosting. For example, clinics with PHI hosted on-premise are much more vulnerable to data loss during malicious attacks because of the inability to perform tasks like point-in-time recovery. 

        The SMART way

        SMART’s Cloud-Based EHR – Powered by Amazon Web Services – helps covered entities subject to HIPAA, maintain, and store protected health information. SMART employs several layers of security like our virtual private cloud (VPC), Amazon Aurora, Trend Micro, and Armor Cloud Security that protect data stored in the cloud. 

        Our EHR platform builds in safeguards, and AWS adheres to all HIPAA protocols. As a result, end users benefit from audit and data integrity controls, malware protection, PHI encryption, backup and storage, automatic logoff, security incident detection and response, and contingency operations processes. Learn more about SMART’s Cloud-Based EHR Software.

        1.) https://www.hhs.gov/hipaa/for-professionals/index.html