• linkedin
  • Increase Font
  • Sharebar

    10 ways to improve patient data security


    In a client-server network, where the server that stores the EHR is located on-site, the providers and staff access the EHR through their computer network. If a practice uses a cloud-based EHR, in contrast, the application and the data are stored on a remote server, and individual workstations and other computers reach the EHR through a web browser. 

    Cloud-based EHR vendors configure the security features for their servers, “so it’s more seamless and you don’t have to worry about that [part of security],” says Kim. It can be tricky for practices to configure those features properly in client-server networks, she notes; they may have to hire outside help (see sidebar).

    On the other hand, the cloud vendor’s security protects only the remote server, not the practice IT infrastructure, she points out. If somebody steals a password, or if malware gets into the network, the practice’s data security is still at risk.

    Other deficiencies in basic security can also leave data vulnerable, notes Nussbaum. Many practices, for example, don’t apply security patches to their computer operating systems. Moreover, many groups are still using outmoded operating systems such as Windows XP, which Microsoft no longer supports and represents an invitation to hackers, he adds. No practice concerned about security should stick with these older operating systems, he says.

     Authenticate users 

    Most EHRs authenticate users with a login name and a password. Experts say practices should frequently change passwords and make them complex enough to foil hackers. 

    Kim suggests changing passwords every 60 to 90 days. Even then, hackers using a “brute force” attack—in which the attacking computer runs through a large number of combinations—may be able to figure out a password, she says.

    A better approach, she says, is two-factor authentication. This method couples a password with biometric identification, such as a thumbprint, a text that a user has to respond to or some other factor that only authorized users can provide.


     Provide remote access securely

    Providers may need remote access from home or other locations to do their work. If a practice has a cloud-based EHR, users with remote privileges can access the EHR in the usual way through their web browser. 

    In a practice with a client-server network, however, remote users must access the network to get to the EHR. If a user’s home computer is infected with malware, a robust firewall coupled with antivirus and intrusion detection software will help keep it out of the system. But cyber thieves can still steal data during remote user sessions if the link with the network is insecure.

    To prevent this, experts recommend using a virtual private network (VPN) that encrypts all of the data in transit and disappears after a session is over. A VPN is a secure, temporary computer-to-computer connection within the public internet. Practices can easily download VPN software, Kim says, but need someone with technical expertise to install and configure it.


     Adopt role-based access

    Most EHRs allow practices to configure their software to limit different levels of the system to employees who need to use that portion of the application and view the associated data. 


    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available

    Latest Tweets Follow