Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!
    Email Address:
We never sell or give out your contact information. We respect our readers' privacy.

June 22, 2010

EMR Question and Answer: Domain Controlled Networks

Written by:
Filed under: add to del.icio.us


I got the following question from Brandon about the need to have a domain controlled network in order to comply with HIPAA.

I am currently trying to implement an EMR system in a small practice. I am trying to convince the parties involved that it is necessary to transition to a domain controlled network for security reasons even though this type of network is not required for our EMR system or its server. My understanding of HIPAA is that simply having a firewall does not qualify as a “secured network”. Am I right on this?

Brandon,
You are correct that just having a firewall does not likely qualify as a “secured network.” However, that doesn’t necessarily mean that you need to have a domain controlled network to meet the HIPAA security standards. You could still manually apply the domain security policies on to individual computers and achieve the same level of security.

Of course, the key word in that statement is the word “manually.” If you have less than 10 computers, then this probably isn’t a huge deal and can be done manually. Once you pass 10 computers (or somewhere in that range) you probably want to consider using active directory to manage the security policies on your computers. It’s much easier to apply policies on a large number of computers using active directory. Plus, you can know that the policy was applied consistently across your network.

You also shouldn’t ignore the other benefits of a domain controlled network. I’ve written previously about the benefits of things like shared drives as a nice companion to an EMR. Active Directory makes adding these shared drives trivial. It’s also a nice benefit to have a universal login that’s managed by the domain and can work on every computer in the office.

Plus, if your EMR runs on SQL Server and you buy a nice but inexpensive server with Windows Small Business Server, then you already have the software for active directory. So, it’s really an easy decision to use it. I’ve implemented it at a site with 5 computers and it’s been a great thing to have even if it’s a bit of overkill.

Related Articles
  • Domain Controlled Networks and Management Servers
  • EMR Question and Answer: Local Server EMR vs Web Based (SaaS) EMR
  • EMR Stimulus Question and Answer
  • Question and Answer with Lynn Scheps, Government Affairs VP for SRSsoft EMR
  • EMR Stimulus Question and Answer: Has Anyone Gotten Paid Yet?

  • » EMR and HIPAA Sponsors
    • Get the Free EMR and HIPAA Email Newsletter:
    Email Address:
    Tags:

    Look for similar articles under these categories: 

    4 responses to "EMR Question and Answer: Domain Controlled Networks"

    1. # Trent Peters commented on July 6th, 2010:

      This is an interesting question and can be argued either way, but again it comes down to what’s “reasonable and appropriate”. A little background, my company is a IT Consultant group that works specifically in the healthcare arena offering services to medium-sized and small healthcare organizations, we have plenty of EMR implementation experience. Over 95% of our clients are in a domain environment and we always push for an Active Directory environment if one is not present. However, in the small offices (1 – 2 providers) this can be difficult because of the initial cost and the fact it’s “server” based. Many small offices will choose a “hosted” emr solution for the low up front cost and adding on the extra 5 -7K is not a valid option as the cost outweighs the benefits (from their perspective). The other 5% simply do not have the same security and manageability as the domain environments.

      Any networks Security solution is only as strong as the weakest link. While not having a domain controller doesn’t necessarily equate to not being HIPAA compliant, it sure helps secure the environment to IT best practices. We call the Domain / Active Directory server the “Management” server because it provides more functions than just AD. For instance, WSUS patch management to make sure all computers have the latest security patches and don’t have the updates that may conflict with the EMR (some EMR software are not compatible with IE8 or SQL 2005 SP3, etc), centralized backup and client folder redirection for non-EMR critical data, centralized monitoring platform for servers (hardware + software), workstations, UPS, networks, VPN, etc, centralized AntiVirus protection is also important to notify the support team of malicious software and vulnerabilities. Group Policies is a big part of the overall security that can manage (if properly configured) all aspects of the network including password policies, computer and user permission rights, power setting, audit controls, etc. There are many benefits to a DC / Management and is the choice to achieve IT best practices (I believe MS recommend 3+ computers to be on a domain environment, although this is aggressive).

      It’s nice to be able to bundle server roles (such as SQL or FAX) in order to justify the management server, but generally it comes down to cost. We hold our HIT practices to the highest standard, so our rule is that if the organization has +5 computers, you must have a Domain Controller / Management Server in order to qualify for our full support program. We can’t justify the extra effort required to properly manage the environment without it. In those rare cases where a small organization choses to not invest in a Domain Controller when we feel it’s required, then unfortunately we wish them the best of luck and turn down their business.

    2. # Domain Controlled Networks and Management Servers | EMR and HIPAA pingbacked on July 8th, 2010:

      [...] Peters from Umbrella Medical Systems added an interesting comment on my previous post about Domain Controlled Networks and HIPAA that I thought really added to my original post. Plus, Trent goes into a nice list of other [...]

    3. # Keith commented on July 15th, 2010:

      I need to find a list of a handlful of EMR companies which reach the most number of MD’s offices and Diagnostic Laboratories. Does anyone know where a market share or “reach” list for each EMR vendor can be found??

    4. # John commented on July 15th, 2010:

      Keith,
      Nobody really knows. There’s some people guessing, but there just wild guesses. I wrote this post about it a while back: http://www.emrandhipaa.com/emr-and-hipaa/2010/06/17/emr-market-share/ However, even the article that’s mentioned is missing a lot of EMR vendors that have large user bases.

      I’ve heard of another organization that actually might be able to get some decent data is starting to collect it, but that hasn’t been published yet.

    Leave a Reply
    Commenting policy: Some comments run the risk of being deleted. These include comments that are spam or cannot be understood or are rude.
    You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    Notify me of followup comments via e-mail. You can also subscribe without commenting.



    • Top - Home