The Security Scrutinizer with Howard Anderson

EHR Shoppers: Ask Plenty of Questions

EHR Shoppers: Ask Plenty of Questions

Nevertheless, they need to ask software companies plenty of questions about security issues before they select which certified EHR to buy.

Just because software offers the security capabilities required by the certification standards doesn't necessarily mean the security components function well and fit your organization's needs. That's why risk management expert Mac McMillan urges shoppers to ask for a test-drive of all the security functions.

Quizzing EHR companies about security is a vital component of your risk management strategy. 

This may seem like an obvious step to take. But it's easy to overlook when the primary focus is on testing the application's functionality and ease-of-use for recordkeeping tasks.

The EHR software certification program is still several months away from getting off the ground. So for now, all vendors can offer is the promise that they intend to meet the requirements.

In the meantime, Eric Nelson, a practice leader at the Lyndon Group, and Jack Daniel, project leader at Concordant, suggest asking EHR companies many specific security questions, including:

  • Is the company willing to provide specific contractual assurances on security in their business associate agreement?
  • How will the company test for new vulnerabilities and generate patches? Daniel suggests asking: "Are patches released regularly, or is it more reactive later down the road, which could definitely cause some problems that would need to be mitigated in your own environment?"
  • If the EHR is remotely hosted, what is the security architecture and what physical security steps are taken at the data center? How is data backed up? And how would you obtain and protect your information if the vendor fails or is acquired by another company? "This is an area that a lot of people might not even think about," Nelson notes.

It's far better to ask a lot of questions before acquiring an EHR than to be disappointed with the application's security functions -- and the company's policies -- after the software is installed. Quizzing EHR companies about security is a vital component of your risk management strategy.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.