Online EHR Jeopardizes Patient Data

Contact Us | About ACT | Partners
Ability Clinical Technologies Home Page
Powerful, Feature-packed Medical Billing and Practice Management Solution
Affordable, Easy-to-Use, ONC-ATCB Certified Electronic Health Records
Electronic Claims, Remittance, Patient Reminders, Statements, Payment Solutions and more by ApexEDI
Full Product Catalog
Nationally Certified Training - Remote or On-site
Award-winning support for TotalMD, AltaPoint and Medisoft

Online EHR Jeopardizes Patient Data


Scott HoehnRecent discussion our CEO had on EMR/EHR Group on LinkedIn

Question: Can anyone comment on ASP EHR's versus in house servers? I have heard mixed comments that include "ASP's are slower for larger practices".

Scott Hoehn • In-house servers are definitely the way to go. Regardless of the "convenience" of being able to connect from anywhere, ASP have incredible risks when it comes to protecting your patient's data. Just yesterday I received emails from Chase, BestBuy, TiVo, Hilton and various other companies apologizing that Epsilon, their source for email blasts was infiltrated. Although account details were not extracted (as far as those companies could tell), millions of email accounts were accessed. Should your ASP be broken into, identity thieves hit the mother lode of information. Keep your data in-house where you can have the most access-control of your patient's information. I foresee many identity theft lawsuits in the future, far more than malpractice, because of this. Also, there's the big "what if"? What if your ASP is shut down for ANY reason (ethical, legal, bankruptcy, etc). How do you retrieve your information to be up and running again? How long would it take? These should be your main concerns for both your patient's sake and your own financial sake.

 Seth Krieger  I am not so sure that I agree when it comes to security. If your database is living in a top-flight data center, I would argue that it is far more secure than it would be on most any office-based server. Add in the built-in disaster recovery, fail-over capability, and backup and you have a pretty convincing case. There is no denying, however, that unless you have superb internet connectivity, there are going to be times when you are going to be "down". The reliability and performance of your internet connection(s) are going to be the primary concerns for most. I think security is a red herring if your vendor is using a top-flight data center.

Scott Hoehn • I agree that many offsite servers are superior to in-house. However, regardless of how secure they are, please keep in mind the "human" element. WHO has access to your patient's data on the other end of the Internet? Is the ASP being outsourced to a country where HIPAA is not regulated? More than SIX HUNDRED EHR companies have popped up over the last year because of ARRA Stimulus dollars they hope to receive. Many will promise anything to bring you on board. Also, some of the most secure systems/websites were taken down (MasterCard, etc) when Wikileaks supporters/hackers crashed those systems. Call it paranoia, but a secured, well-configured in house server system from an established software provider, can save a clinic many thousands of dollars monthly, without requiring annual support costs.

Lisa Hanson • Thanks Scott. I appreciate you taking the time to respond.  Otolaryngology. Based on the previous comments about security, I think we will keep it all in house.

Scott Hoehn • Glad to help, Lisa! If you need any in-depth questions asked just call us at 407.844.0859.


Christopher Meola • Lisa - I know I am a little late to the party but if you are going in house I would definitely suggest virtualizing your servers at a data center; I run a practice management company that hosts a server for some of our clients and not only is there a security issue, but also the issue of continued server expense moving forward. While what you get now is 'top of the line', with the advancement of the software moving forward you can bet on having to buy a brand new server in 3-4 years to maintain the performance you get. In a virtual environment this additional expense is alleviated as when you need more power you just add on, saving yourself tens of thousands of dollars. Data centers also have enormous internet pipes that alleviate speed issues and you will never have to worry about loss of connectivity or power. So, unless there is a huge volume of records that have to be scanned in manually I would definitely consider off site hosting...  And as another note, unless your server has no internet capabilities it is susceptible to hackers regardless of where it is housed....

Scott Hoehn • Keeping to basics, when your servers are on-site, from each workstation, you are only three hardware pieces away from your data at all times (two network cards and a router). That's it. By using any outside source, in addition, you are relying on your DSL modem, thousands of "switches" used through the phone company, telephone lines and a myriad of other components from point A to point B. I agree that all computers with access to the Internet are vulnerable to attack, but hosting and ASP sites contain the mother lode of information. Should you decide on anything but in-house, make sure you have a rock-solid contract with those responsible for protecting your data that they accept 100% responsibility for ANY patient information loss/theft. Read any "not responsible" disclaimers before you sign.

Wade Burt • Excuse the late comment. I agree with Scott Hoehn. Onsite is the way to go for the reason he states. If you stay in house and use solid IT Best Practices (No fulltime access to Internet from mission critical back end, for one example. Standard life cycle replacement budgets for another), you maintain control and ownership of all your mission critical systems without being married to an entity that has their best interests ahead of yours.

Let me also mention that regardless of any contract, the vendor cannot possibly take on the responsibility for the public relations disaster that would ensue in the event of a data incursion. I am sure you have seen the notices - "your data was released, but it wasn't us that did it". You know the patient blames the business, not their vendor.

Gerald Curreri • I agree with Scott and Wade, not to mention you literally hand the keys to your practice to a third party when you ASP or SaaS. They control your practice and can you shut you down if they have technical failure, mass security breach, or if are late paying your bills. Many practices don't understand the risk of this model. Practices will be very dependent on their IT assets and infrastructure. Risks exist on both side but less when you bring it in house. 

For Additional Warnings on ASP (online) systems, click here

 EMR Catastrophe Avoidance - 10 Part Series - All Articles



About Us | Site Map | Privacy Policy | Contact Us | ©2014 Ability Clinical Technologies