Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/22/2011
12:04 PM
50%
50%

EHR Data In Cloud Needs Strong Security Trail

Presenters at a recent Legal EHR Summit warn healthcare providers to press their vendors for clear answers on security.

Healthcare Innovators
Slideshow: Healthcare Innovators
(click image for larger view andfor full slideshow)
With healthcare's unique information security requirements, the growth of cloud-based electronic health records (EHRs) is raising a number of new issues regarding data stewardship and organizational responsibility.

According to Gerard Nussbaum, director of technology services at management consultancy Kurt Salmon Associates, the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules do not specify whether a provider using a cloud-based EHR owns data in the medical records or if the information belongs to the service host. Speaking last week at the American Health Information Management Association (AHIMA) Legal EHR Summit in Chicago, Nussbaum recommended that healthcare providers explicitly negotiate data usage in contracts, particularly in case of a breach.

"Nothing is secure from breaches," noted Nussbaum, an attorney. Knowing this, he said it's best to "iron out up front" what each party's legal responsibility is in the event of a breach, such as who must notify individuals whose data may have been compromised.

Health information management consultant Sandra Nunn, who participated in a panel discussion on managing health information in the cloud, said she wants her clients to reach a clear understanding with their vendors about whether information will be sequestered in the cloud if there is a breach and whether there will be an easily accessible audit trail.

"Having multiple cloud vendors can complicate your situation," Nunn said. She surmised that it might be a good idea for providers to ask their vendors once or twice a year to create an audit log just to make sure it's possible.

This soon could become more urgent, based on a recent proposal from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In what is being called the "accounting for disclosures" rule, OCR has proposed changing existing HIPAA privacy standards to require "covered entities" to produce disclosure reports within 30 days of a patient's request, rather than the current 60 days.

Another panel member, Daniel Orenstein, senior VP and general counsel of EHR and physician business services provider Athenahealth, Watertown, Mass., said that he has never actually seen a patient request an accounting for disclosures. It would take a good amount a work on the provider end to compile the information, but EHRs are capable, whether in the cloud or on a local server. "We certainly can produce it," Orenstein said.

Athenahealth did not submit formal comments to HHS on the proposed accounting rule, according to Orenstein, but the company, which long has offered remotely hosted services, is emblematic of the way the health IT industry is shifting, particularly for small physician practices. A month ago, Athenahealth announced plans to acquire Proxsys, a provider of care-coordination services that links physicians and hospitals via the cloud, to beef up its health information exchange capabilities.

Because of this trend, Nussbaum said due diligence must be an ongoing process. Providers should, for example, be aware of how they would get their data back should they stop using a cloud-based EHR or simply switch vendors.

He recommended walking away from any vendor that refuses to run a security audit because it suggests that the vendor is not serious about transparency. "You have to do the security audit one way or another," Nussbaum said, even if it is through a third party.

Nussbaum also said to avoid "shrinkwrap" licenses that don't take into account individual customers' needs in HIPAA business associates agreements.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...