Security Questions for EHR Vendors

What Should Physician Group Practices Ask?
Security Questions for EHR Vendors
Physician group practices shopping for an electronic health records system should ask software companies plenty of questions about security issues.

Software certified for the new Medicare and Medicaid incentive program must include a long list of security capabilities. Nevertheless, clinics acquiring EHRs need to do far more than simply select certified software to ensure their records have adequate protections, security experts say. And keep in mind, the certification program won't even begin for several months.

Eric Nelson, a practice leader at the Lyndon Group, and Jack Daniel, project leader at Concordant, offer the following tips:

  • Ask specific questions about the security functions included in the software, including what methods of encryption, access control and authentication it offers.
  • Determine whether the vendor is willing to be audited to make sure it is continually in compliance with the HIPAA privacy and security rules.
  • When preparing a business associate agreement with the company, ask for specific contractual assurances on security.
  • If the vendor offers remote support, ask how it would gain access to your environment.
  • Inquire about the threat and vulnerability management technology that the EHR uses. Ask how the company tests for new vulnerabilities and generate patches. Daniel suggests asking: "Are patches released regularly, or is it more reactive later down the road, which could definitely cause some problems that would need to be mitigated in your own environment?"
  • Demand customer references on security issues, as well as copies of past security audits and vulnerability scans.
  • If the EHR is remotely hosted, ask for details on the security architecture, as well as physical security at the data center. Inquire about data backup procedures. Also ask how you would obtain and protect your information if the vendor fails or is acquired by another company. "This is an area that a lot of people might not even think about," Nelson notes.
  • If using the remotely hosted model, ask whether the vendor can offer your clinic dedicated space in the hosted environment, rather than a shared environment. "If environments are shared, that means information isn't necessarily siloed, and you're relying on lower-level access control mechanisms," Daniel says.
  • (See also a companion story about important security steps for physician groups, including conducting a thorough risk assessment.)

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.