There’s an industry of small company web-based Electronic Medical Records / Electronic Health Record (EMR / EHR) applications out there, and more that are starting to crop up. They tend to fall into one of two groups that I’ve seen so far; EMR’s begun by physicians, and EMR’s begun by technology companies obviously targeted as physicians.
The physican-run EMR’s tend to work great for physician use, having a design, interface, features, etc. that physicians like, but then fall dramatically short in the areas of data retention, security, disaster recovery, etc. They love to throw out buzz words like “daily backups” and we use super duper “bank encryption” or “better security than banks”, which of course I’ve yet to see as being even remotely true; i.e., when was the last time you’ve heard of systems at banks that hold financial data allowing access without even two factor auth?
The tech-run EMR’s tend to have a bunch of features on a bulleted list but have horrible interfaces and don’t work the way physicians work, so the users end up hating them.
In any case, I was involved with a customer who was looking at Practice Fusion for web-based “cloud” EMR. To their credit, and this differs from many other up and coming EMR’s, they do offer two factor auth before new browsers/devices can log into a given physician account. Here’s where I take issue with them:
They’ve put up a web page that seems to advise physicians or practices that they should not want to run a local EMR nor back their own data up from a cloud EMR.
PDF copy for posterity: PDF
They justify this opinion by citing the article author’s medical practice’s poor IT decisions that resulted in downtime and/or data loss, such as “a sprinkler system overhead pipe burst and flooded the servers” and “a major traffic collision downed a utility pole which blacked out all power to the entire neighborhood for an entire day … However, were we to have had an externally-hosted server system, then battery-powered laptops and wireless could have had us functioning”
Umm, why were your servers in a room with wet-pipe fire suppression to begin with? If your practice was thriving to the point where an extended power outage caused serious financial loss and/or patient inconvenience, why did you not have a generator? The revenue lost by even a small fully booked healthcare practice losing a full day here and there easily covers the cost of a proper generator. Poor planning = poor results.
My largest issue is with the last paragraph: “The same is true for Practice Fusion’s secure private cloud – the data hosting, backup, security and up-time availability are all in the background. The onus is removed from the burden of the local physician.”
I have absolutely no clue how they can claim the onus of data security is removed from the local physician. HIPAA assigns responsibility for PHI to its owner, i.e. the physician/practice that creates it. Practice Fusion is simply a Business Associate given access to the data, in HIPAA terms. This in no way removes responsibility from the physician/practice that owns the PHI.
Then you’ve got this page:
PDF copy for posterity: PDF
So that knowledgebase article tells you hey, there is NO way for you to back your EMR data up to a local copy, but don’t worry, we use the highest levels of “bank encryption”, whatever that is, to securely store your data. Well, I’m familiar with what many banks do, they use Hardware Security Modules (HSM’s) and many other tricks of the trade that I strongly suspect none of these EMR’s use when a solid pair of HSM’s is in the $70k range and these EMR’s are ‘free’ or very cheap. It goes on to say they use a daily ‘differential backup’ of the database and they’re fully redundant.
Umm, okay, not sure what encrypting the data has to do with a desire to back up the data. Backing up is for preserving data as-is, not for making it inaccessible to someone / something that has breached security. Regarding backups; backing up is for preserving data, redundancy is for data availability, so being ‘fully redundant’ doesn’t change things.
Anyway, where we’re left at is the part that pisses me off. They go on and on in the above about how you shouldn’t worry about your data, you shouldn’t want or need to back your data up, everything is great. Then you get to their lawyers’ version of reality in the user agreement customers must agree to:
Section 14.5 states the following:
14.5 Unauthorized Access; Lost or Corrupt Data.WE ARE NOT RESPONSIBLE FOR UNAUTHORIZED ACCESS TO YOUR DATA, FACILITIES OR EQUIPMENT BY PERSONS USING THE SERVICES OR FOR UNAUTHORIZED ACCESS TO, ALTERATION, THEFT, CORRUPTION, LOSS OR DESTRUCTION OF YOUR DATA FILES, PROGRAMS, PROCEDURES, OR INFORMATION THROUGH THE SERVICES, WHETHER BY ACCIDENT, FRAUDULENT MEANS OR DEVICES, OR ANY OTHER MEANS. YOU ARE SOLELY RESPONSIBLE FOR VALIDATING THE ACCURACY OF ALL OUTPUT AND REPORTS, AND FOR PROTECTING YOUR DATA AND PROGRAMS FROM LOSS BY IMPLEMENTING APPROPRIATE SECURITY MEASURES. YOU HEREBY WAIVE ANY DAMAGES OCCASIONED BY LOST OR CORRUPT DATA, INCORRECT REPORTS, OR INCORRECT DATA FILES RESULTING FROM PROGRAMMING ERROR, OPERATOR ERROR, EQUIPMENT OR SOFTWARE MALFUNCTION, SECURITY VIOLATIONS, OR THE USE OF THIRD-PARTY SOFTWARE. WE ARE NOT RESPONSIBLE FOR THE CONTENT OF ANY INFORMATION TRANSMITTED OR RECEIVED THROUGH OUR PROVISION OF THE SERVICES.
So what that big ominous belch of legalese seems to suggest is that if you experience a loss of data, for any reason, including unauthorized access / alteration / theft / corruption / loss / destruction, through their service, whether it’s an accident, fraudulent means, or ANY other means, they’re not responsible. It goes on to say YOU (the customer) are solely responsible for “protecting your data”. You cannot make a claim against them over data loss resulting from corruption, error, operator error, equipment or software malfunction, security breach, etc.
Umm, okay, so you’re telling the customer that they should not worry whatsoever about their data, don’t worry about backing it up, and, in fact, you can’t worry about backing it up because they explicitly have no tool to do so. However, if something does actually happen, they’re not responsible and hey, you were the one responsible for backing it up, with a non-existent method of doing so.
This is why EMR’s should have backup tools, and why the person responsible for backing it up should be properly aware of how to protect it.