I don’t have good statistics on hand, but changing EMRs isn’t unusual, and changing them a few times isn’t as rare as it should be. Readers here know that this is a painful proposition for many reasons, including cost and the need to re-tool workflow over at minimum several months.
But I’ve noticed that few if any IT pundits talk about the security risks that must come from making such a shift. A few common sense issues come to mind:
* Retraining staff: Your overall security policy might not change, but the security workings of the new software may be somewhat different. As staff reacclimates, there’s plenty of room for mistakes.
* Transferring patient information: Whether you’re currently a Web-based EMR or one installed on site, you’ll have to transfer a lot of information to the new system. What happens if the isn’t encrypted and locked down during or after the transfer?
* Back door vulnerabilities: If your existing installed software has any back-door vulnerabilities in it, they may remain or even become even more deeply buried when the new software is put in place.
* Re-establishing device security: Whatever you’ve done to secure mobile devices may have been sufficient for your last system, but what about your new one? Even cloud systems with strong back-end data protections aren’t going to make sure smartphones and iPads and laptops are secure against security breaches, and you may need to re-do protections for them.
In proposing these ideas, I’ve mostly envisioned what small- to medium-sized medical practices face. If the EMR change is from Cerner to Epic rather than a small-practice system to another, the problem is vastly more complicated. Either way though, it isn’t a pretty picture.
So readers, if you were responsible for such a shift, what would your next steps be? Do you have a transition security checklist you can share?