Does Changing EMRs Make Security Vulnerabilities Worse?

Posted on August 23, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t have good statistics on hand, but changing EMRs isn’t unusual, and changing them a few times isn’t as rare as it should be.  Readers here know that this is a painful proposition for many reasons, including cost and the need to re-tool workflow over at minimum several months.

But I’ve noticed that few if any IT pundits talk about the security risks that must come from making such a shift. A few common sense issues come to mind:

*  Retraining staff:  Your overall security policy might not change, but the security workings of the new software may be somewhat different.  As staff reacclimates, there’s plenty of room for mistakes.

* Transferring patient information:  Whether you’re currently a Web-based EMR or one installed on site, you’ll have to transfer a lot of information to the new system.  What happens if the isn’t encrypted and locked down during or after the transfer?

*  Back door vulnerabilities:  If your existing installed software has any back-door vulnerabilities in it, they may remain or even become even more deeply buried when the new software is put in place.

* Re-establishing device security:  Whatever you’ve done to secure mobile devices may have been sufficient for your last system, but what about your new one?   Even cloud systems with strong back-end data protections aren’t going to make sure smartphones and iPads and laptops are secure against security breaches, and you may need to re-do protections for them.

In proposing these ideas, I’ve mostly envisioned what small- to medium-sized medical practices face. If the EMR change is from Cerner to Epic rather than a small-practice system to another, the problem is vastly more complicated.  Either way though, it isn’t a pretty picture.

So readers, if you were responsible for such a shift, what would your next steps be?  Do you have a transition security checklist you can share?