Micheal Koploy over at Medical Software Advice put together an interesting post that looked at all the HHS breach data. He does a pretty in depth look at the various incidents of breach that occurred and even does a deep dive into the specific EMR related HIPAA breaches that are listed. He then forms an interesting conclusion:
HIPAA Violations Aren’t in the Cloud
Some have said that increasing the number of EMRs make our records more vulnerable. I’d cite the above data to argue otherwise. Paper records and portable devices are the weakest link in HIPAA security. The systems themselves – and certainly cloud-based systems – have a pretty good track record. HIPPA violations aren’t happening in the cloud. Rather, they’re happening in the doctor’s office, hospital IT closets, cars, subways, and homes.
And the statement that cloud-based EMR systems are more vulnerable to security breaches simply isn’t supported by facts. Of course, it remains to be seen if this holds true as more cloud-based systems are deployed. As more physicians move their records to the cloud, the opportunity for breaches will increase.
If my doctor asked me how to ensure patients’ data is secure, I would offer the following: go to the cloud. Web-based EMRs eliminate the most common security risks because there aren’t physical files to be compromised. And no matter your system, it’s essential to train your staff on the necessary security measures to ensure patient privacy is a systematic imperative
I think he makes a good point about it possibly being too early to really know how many cloud based SaaS EHR companies are going to have breaches. I also think it’s fair to consider that when those do happen, they’re going to be big breaches. They won’t just be a few records that are breached, but a whole bunch. Although, this is true for any electronic medical record HIPAA breach as compared with a paper chart HIPAA breach.
The other thing I can’t help but wonder is if there are more breaches with cloud EHR software, but we just don’t know that their happening. Although, that goes against the common thinking that EHR software does a much better job of tracking breaches than a paper chart. Your digital fingerprints are all over a digital chart and can be reported on quite easily. It’s a little harder to track the inappropriate fingerprints on a paper chart.
All in all, I’d have to agree with Michael and his assertion that we’re likely to see many fewer EHR breaches from a SaaS or cloud based EHR company than we will see from all the in house EHR software. In an in house system, the EHR company can just blame the clinic for the breach (in most cases). In a SaaS based EHR system, a HIPAA breach would have a much more damaging effect on the future sales of that EHR company. So, they’re more likely to put in the effort needed to avoid such breaches.