EHR Shoppers: Ask Plenty of Questions
Nevertheless, they need to ask software companies plenty of questions about security issues before they select which certified EHR to buy.
Just because software offers the security capabilities required by the certification standards doesn't necessarily mean the security components function well and fit your organization's needs. That's why risk management expert Mac McMillan urges shoppers to ask for a test-drive of all the security functions.
Quizzing EHR companies about security is a vital component of your risk management strategy.
This may seem like an obvious step to take. But it's easy to overlook when the primary focus is on testing the application's functionality and ease-of-use for recordkeeping tasks.
The EHR software certification program is still several months away from getting off the ground. So for now, all vendors can offer is the promise that they intend to meet the requirements.
- Is the company willing to provide specific contractual assurances on security in their business associate agreement?
- How will the company test for new vulnerabilities and generate patches? Daniel suggests asking: "Are patches released regularly, or is it more reactive later down the road, which could definitely cause some problems that would need to be mitigated in your own environment?"
- If the EHR is remotely hosted, what is the security architecture and what physical security steps are taken at the data center? How is data backed up? And how would you obtain and protect your information if the vendor fails or is acquired by another company? "This is an area that a lot of people might not even think about," Nelson notes.
It's far better to ask a lot of questions before acquiring an EHR than to be disappointed with the application's security functions -- and the company's policies -- after the software is installed. Quizzing EHR companies about security is a vital component of your risk management strategy.