Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/22/2011
12:04 PM
50%
50%

EHR Data In Cloud Needs Strong Security Trail

Presenters at a recent Legal EHR Summit warn healthcare providers to press their vendors for clear answers on security.

Healthcare Innovators
Slideshow: Healthcare Innovators
(click image for larger view andfor full slideshow)
With healthcare's unique information security requirements, the growth of cloud-based electronic health records (EHRs) is raising a number of new issues regarding data stewardship and organizational responsibility.

According to Gerard Nussbaum, director of technology services at management consultancy Kurt Salmon Associates, the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules do not specify whether a provider using a cloud-based EHR owns data in the medical records or if the information belongs to the service host. Speaking last week at the American Health Information Management Association (AHIMA) Legal EHR Summit in Chicago, Nussbaum recommended that healthcare providers explicitly negotiate data usage in contracts, particularly in case of a breach.

"Nothing is secure from breaches," noted Nussbaum, an attorney. Knowing this, he said it's best to "iron out up front" what each party's legal responsibility is in the event of a breach, such as who must notify individuals whose data may have been compromised.

Health information management consultant Sandra Nunn, who participated in a panel discussion on managing health information in the cloud, said she wants her clients to reach a clear understanding with their vendors about whether information will be sequestered in the cloud if there is a breach and whether there will be an easily accessible audit trail.

"Having multiple cloud vendors can complicate your situation," Nunn said. She surmised that it might be a good idea for providers to ask their vendors once or twice a year to create an audit log just to make sure it's possible.

This soon could become more urgent, based on a recent proposal from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In what is being called the "accounting for disclosures" rule, OCR has proposed changing existing HIPAA privacy standards to require "covered entities" to produce disclosure reports within 30 days of a patient's request, rather than the current 60 days.

Another panel member, Daniel Orenstein, senior VP and general counsel of EHR and physician business services provider Athenahealth, Watertown, Mass., said that he has never actually seen a patient request an accounting for disclosures. It would take a good amount a work on the provider end to compile the information, but EHRs are capable, whether in the cloud or on a local server. "We certainly can produce it," Orenstein said.

Athenahealth did not submit formal comments to HHS on the proposed accounting rule, according to Orenstein, but the company, which long has offered remotely hosted services, is emblematic of the way the health IT industry is shifting, particularly for small physician practices. A month ago, Athenahealth announced plans to acquire Proxsys, a provider of care-coordination services that links physicians and hospitals via the cloud, to beef up its health information exchange capabilities.

Because of this trend, Nussbaum said due diligence must be an ongoing process. Providers should, for example, be aware of how they would get their data back should they stop using a cloud-based EHR or simply switch vendors.

He recommended walking away from any vendor that refuses to run a security audit because it suggests that the vendor is not serious about transparency. "You have to do the security audit one way or another," Nussbaum said, even if it is through a third party.

Nussbaum also said to avoid "shrinkwrap" licenses that don't take into account individual customers' needs in HIPAA business associates agreements.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.