August 20, 2009
EHR Safety and Security | Practice Fusion
We recently reviewed the question of putting medical data in the Internet “cloud” from the standpoint of safety (guarding against loss of data), and of security (guarding against theft of data). The discussion was a general overview of the issues involved in paper vs. local EHR deployment vs. hosting in the Internet “cloud” – but what about Practice Fusion? How safe if my medical data on that platform?
As noted in the previous posts, medical information (specifically, Protected Health Information, or PHI – which is subject to HIPAA Privacy Rules) in a paper-based environment is the least safe and secure. Local disasters can lead to wholesale, irretrievable loss (like a building fire, hurricane, etc), and individual charts can be lost or looked at inappropriately with relative ease. Office policy is supposed to be in place to address these concerns, but in reality the implementation of this is hit-and-miss across the landscape.
When a practice moves its medical data onto a locally-installed legacy EHR system, there is an improvement in safety and security – not to mention, an improvement in access (charts are always available, never lost, and accessible from in-house as well as remote locations). There are also new vulnerabilities that need to be addressed – is there PHI located on hardware (servers, workstations, backup devices) that could potentially get stolen? Theft of PHI-containing computers is one of the main ways that data-security breaches take place. Is the data on those local servers encrypted? If so, are the encryption keys stored separately, so that theft of a computer with PHI on it does not also include theft of the keys?
And what about electronic intrusion – are there firewalls, access controls and 128-bit encryption-secured connections in place? These kinds of issues may be addressed by a practice hosting its own local EHR server, but generally require an IT support vendor (a new line item of cost to a practice) to set it up. The IT support consultant has been called “the new best friend” of a medical practice, and represents another barrier to a practice moving from paper to an electronic platform.
When a practice makes a decision to move its EHR to a hosted platform (either moving directly there from paper, or by abandoning the use of a local EHR system and moving to “the cloud”), there are better server-end resources available to the practice – as well as new risks (or, at least, perception of risk) – “who are these guys, and can I trust them with my data?” After all, the Internet “cloud” is not inherently secure – yet banking has long used Internet access that we have all become accustomed to over the years. Banking over the Internet has engendered trust by paying very-detailed attention to building secure containers, connections and access to their data. Can this be replicated for Internet-hosted PHI?
Practice Fusion has devoted great resources to security, and building its applications in a way that meets-or-exceeds what is required by the HIPAA Privacy Rules. The servers are hosted in secure commercial facilities with multi-geography locations, and with safeguards against Denial-of-Service attacks. The data is secured behind firewalls, and encrypted (including the databases, uploaded scanned documents, and backups). Access to the data is protected through 3 keys (user ID, practice ID, and password), and are required to be of sufficient strength that they are un-guessable. Many of the technical security practices implemented by banks, as well as requirements specified by specific HIPAA implementation guidance are part of an ongoing program of security and privacy, and represent a Continual Quality Improvement effort by Practice Fusion. Using Practice Fusion satisfies the principle of data encryption “at rest” and “in transit”, such that the HITECH “safe harbor” that relieves practices from the burden of disclosure to each-and-every patient in the event of a breach is satisfied– PHI data is secured in a manner that renders it unusable, unreadable, and indecipherable to unauthorized intruders. These are levels of security unlikely to be achieved with a locally-installed EHR system.
So, “ is my data safe with Practice Fusion?” Not only is your data safe, it is certainly safer than is achievable with paper charts, and even with most locally-installed EHR systems. Practice Fusion remains committed to ongoing vigilance concerning data safety, and hopes to be able to “set the standard” for satisfying the fears about Internet-housed PHI. The banking sector has been able to achieve this (even without HIPAA) – so should we.
Robert Rowley, MD – Chief Medical Officer, Practice Fusion, Inc.