Security Questions for EHR VendorsWhat Should Physician Group Practices Ask?
Software certified for the new Medicare and Medicaid incentive program must include a long list of security capabilities. Nevertheless, clinics acquiring EHRs need to do far more than simply select certified software to ensure their records have adequate protections, security experts say. And keep in mind, the certification program won't even begin for several months.
- Ask specific questions about the security functions included in the software, including what methods of encryption, access control and authentication it offers.
- Determine whether the vendor is willing to be audited to make sure it is continually in compliance with the HIPAA privacy and security rules.
- When preparing a business associate agreement with the company, ask for specific contractual assurances on security.
- If the vendor offers remote support, ask how it would gain access to your environment.
- Inquire about the threat and vulnerability management technology that the EHR uses. Ask how the company tests for new vulnerabilities and generate patches. Daniel suggests asking: "Are patches released regularly, or is it more reactive later down the road, which could definitely cause some problems that would need to be mitigated in your own environment?"
- Demand customer references on security issues, as well as copies of past security audits and vulnerability scans.
- If the EHR is remotely hosted, ask for details on the security architecture, as well as physical security at the data center. Inquire about data backup procedures. Also ask how you would obtain and protect your information if the vendor fails or is acquired by another company. "This is an area that a lot of people might not even think about," Nelson notes.
- If using the remotely hosted model, ask whether the vendor can offer your clinic dedicated space in the hosted environment, rather than a shared environment. "If environments are shared, that means information isn't necessarily siloed, and you're relying on lower-level access control mechanisms," Daniel says. (See also a companion story about important security steps for physician groups, including conducting a thorough risk assessment.)