Knowing where your EHR data is, how it is stored, and protected may help you sleep at night.
As you may know, per HIPAA “Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.” In addition, “Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.” 1
Having a breach could potentially cause great harm to your reputation and be very costly.
The two things that are most important in protecting your data are WHERE and HOW it is stored and protected.
- Client-Server model in your office – this is the old-fashioned practice management and EHR system where you own and maintain the entire system and the servers are in your office. This may appear to be the most secure model for data storage, but there are two significant risks with these systems:
- You probably don’t have the IT expertise to maintain your services and security system to prevent hackers correctly
- Your data may not be backed up routinely and accurately (and safely)
Client-server systems are the favorite target of ransomware hackers: https://healthitsecurity.com/news/ransomware-attack-in-dc-causes-health-data-breach-concerns
- Remote hosted systems. Some of these are client-server systems per above which are remotely hosted, and some are systems designed to be Software-As-A-Service/accessed over the Internet. In general, remotely hosted systems should have more IT expertise in storing and protecting your data, but you need to ask the right questions. The type of system can impact response time and other factors, but from a pure PHI safety perspective you should ask:
- Is your data maintained in a public cloud such as Amazon or Google?
- Exactly WHERE is the data?
- Who owns the servers the data is stored on?
- How are the servers maintained, including operating systems and product upgrades?
- What type of data center is used and what are its features?
- Read more about EHR systems and storage options here.
When it comes to where your data is stored, also consider “off-line” or incidental storage. Currently, the number one cause of PHI breaches is lost or stolen devices that included unsecured patient data:
- Make sure you have policies and procedures that limit when and why patient data can be extracted from your systems.
- If PHI must be extracted onto local devices, make sure you are using an encryption program, and that data is deleted when it is no longer needed.
- Perform periodic audits of devices to ensure they do not contain unsecured PHI.