How to Enhance EHR Security for Small Businesses

October 30th, 2017

Using a few added security services, small and medium businesses can run affordable EHR systems without worry. Find your options. 

Whether your practice uses a thousand-dollar EHR (Electronic Health Record) or free software, security should be your primary concern. Small and medium businesses (SMBs) are not financially equipped to pay a large sum for expensive EHR systems. Moreover, the software from large vendors may not exactly meet the requirements of SMBs. For these reasons, SMBs often rely on less expensive options.

This is arguably a smart move from an economic point of view. But what about security of health information in electronic health records? Do these systems fully comply with regulatory requirements including HIPAA? Is there a way to enhance the security of EHR using other means?

EHR Security for Small Business

No doubt, the government requires every EHR vendor to follow basic security measures like encryption (during storage) and access control. However, these might not be enough to prevent a sophisticated attack. Moreover, a number of processes during the use of an EHR can still be open to an attack. For example, texting, videoconferencing (video telehealth), sending or receiving email etc.

As per HIPAA, EHR vendors become business associates only when they have access to the health information. Simply put, if they host your data, they have to comply with all the requirements just like the covered entities. However, those vendors who merely sell software do not need to sign a business associate agreement (BAA).

In order to maintain privacy and security of health data, EHRs must encrypt the data and allow limited access to PHI (access control). But security issues may arise when your practice uses an EHR system from a vendor which is not your business associate. In such case, it is your responsibility to make sure that the data do not get into wrong hands. Also, remember that EHR HIPAA compliance does not mean your entire practice complies with HIPAA.

Encryption during storage and access control may not always be able to prevent a breach. This is evident from rising numbers of health data breaches across the country. Since EHR uses many processes other than storage, such as data transmission through email, texting and videoconferencing, hackers have a plenty of ways to get into the system.

What is an EHR? Know its Benefits

An EHR is a real-time, patient-centered record of all health information of a patient that can be accessed instantly only by authorized users. Simply put, it is a digitized form of paper-based patient records.

The individuals who have access to the information are patients, providers and other healthcare professionals involved in the treatment. Most notably, the information may be shared with healthcare organizations other than where the patient was taken care of.

In its most primitive form, an EHR contains medical and treatment history of patients. However, it can also include patients’:

  • Diagnoses
  • Medications
  • Treatment plans
  • Immunization dates
  • Allergies
  • Radiology images
  • Laboratory and test results
  • Conversations between doctors and patients

The major benefits of EHR include:

  • Improved patient care due to a better clinical decision and coordinated care.
  • Reduced cost and more efficient medical practice.
  • Increased patient participation.
  • Better treatment outcomes.

How an Expensive EHR System like EPIC Differs from Open Source Systems

For SMBs, to pay hundreds (or thousands) of dollars for EHR systems is not financially feasible. Keeping that in mind, many vendors provide open source software like Practice Fusion, OpenMRS, VistA, and One Touch EMR.

Before you opt for any such option, you should know the basic difference between expensive EHRs and their free counterparts. Here we compare the features of EpicCare and Practice Fusion.

Parameters of Comparison EPIC Practice Fusion
Cost Available on request Free
Primary Target Customers Large health systems Private Practice
Availability of mobile application? No Yes
Operating System Windows Windows, Mac, and Android and iOS (for mobile platform)
Countries Available United States, Australia, Denmark, Netherlands, Saudi Arabia, Singapore, UAE United States


Common Security Measures Employed by EHR Systems

In order to keep the sensitive patient data safe and secure, an electronic health record system may employ following security measures:

  1. Encryption during storage. Meaning, the information is readable only to the individuals who have “encryption key”. Undoubtedly, the key is made available only to authorized individuals.
  2. Encryption during transmission.  I.e. SSL-secured connections at a minimum.
  3. Access control. The main idea is to limit access to sensitive information. Using tools like passwords and PIN numbers, the system grants access to authorized individuals, like the patient’s doctors or nurses.

Free EHRs rely on you to ensure compliance

The Problem with These Security Measures

Aa data breach may occur through an “unsecured” website, text, or email.  Since a no-frill EHR system is most likely to miss an added layer of security or rely on you to know and understand exactly what to do to implement everything correctly, you cannot expect the EHR system itself to automatically safeguard data from breaches and hackers.

A “no frill” EHR system is most likely to have one or more of the following problems:

  • More reliance on your hosting infrastructure being secure
  • More bugs and security issues that a large EHR
  • Fewer security and software reviews
  • Less technical support

The Fix

Luckily, you can get a higher-level security from the hackers even when using an affordable EHR in your practice. You can work with a third-party service provider like LuxSci that provides a dedicated server that gives you enhanced security, control and flexibility to run the services you want.

Most importantly, we sign a business associate agreement (BAA) with our clients. For your practice to be HIPAA compliant, BAA is a must.

Using Luxsci’s Dedicated Servers for Your Practice

If you use any PHP/MySQL systems including Practice Fusion, OpenMRS, VistA, One Touch EMR, we can provide a dedicated server that provides the best security. Our servers are virtual machines running 64-bit CentOS Linux and the latest versions of PHP, Apache, and MariaDB (a better version of MySQL).

You can also use your dedicated server for hosting email (with access via WebMail, POP, IMAP, SMTP, and ActiveSync), web hosting, database hosting, email marketing, SecureForm processing, dedicated inbound email filtering, and dedicated WebMail.

What solution is best or your business and budget?

Click here to talk it over with one of our HIPAA experts.