How to ensure your cloud EHR is as secure as possible

Received wisdom is that cloud EHR is more vulnerable to security breaches than on-premise systems. However, the evidence supporting this claim is less than clear and may only be anecdotal at best. Theoretically speaking, a cloud-based EHR should be more vulnerable to attack given the manner in which data is transferred and stored. In a cloud infrastructure, data is stored off site on third party servers, which not only exposes the data to risk when moving from on site to off site.

Furthermore, given that data is stored off-site and maintained by a third party it wrests control of security from a practice to a matter exclusively handled by the cloud service provider. In this sense, practices cede a great deal of control and by association protection of their data to a third party. Given the nature of cloud EHR, what processes can practices put in place to ensure that their data is as safe as possible?

In a 2015 Infoworld article, cloud computing expert David Linthicum frames the question of cloud security as being defined by two factors. He states, “One is the planning and technology that goes into engineering the security solution. The other is the organization's ability to operate systems in proactive and secure ways.”

Vendor-side security measures

Although a practice cannot control how a cloud service vendor protects data, a practice can preemptively reduce risk by selecting a provider whose security measures offer the best opportunity to reduce the danger of a data breach. For example, cloud service providers should, at a minimum, offer customers security measures such as role-based access, data encryption, and access monitoring. Furthermore, the provider should have attained government data security certifications and other security endorsements issued by nongovernment entities who provide data security audits.

Recommended reading: find cloud EHR providers with strong security protocols with our completely up-to-date EHR vendor directory.

Practice-side security measures

An organization can control the manner in which it protects itself from security risk by its on-site practices. Providers using cloud-based EHR can minimize security risks by tightening security practices around how users access data from desktop systems and portable devices. One of the foundations of on-site data security involves ensuring all data is encrypted.

However, encryption should not be viewed as the pinnacle for security, as an unauthorized user can work around encryption measures to access data. Rather a second layer of protection should rest in controlling access to devices and applications. Controlling access involves measures such as creating password and access protocols that reduce the risk of unauthorized access.

Regardless of their level of security, all EHRs (cloud and on-premise alike) will be subject to some level of data breach-related risk. However, providers can take steps to mitigate this risk. The reduction of this risk involves both the process of selecting an EHR product that can effectively meet this risk from a technological standpoint and by implementing in-house practices that can further reduce this risk. When combining these two strategies practices can exercise a greater level of control of data security while still reaping the benefits of flexibility and scalability offered by cloud EHR systems.