EMR Security Monitoring Systems

There’s been an interesting situation going on between a couple EHR vendors. I first saw this when I got the press release that meridianEMR filed a lawsuit against UroChart. The lawsuit claims that UroChart obtained access to meridianEMR’s data.(Note: See this comment from IT Director of meridianEMR that discusses more details of what happened and how no data was breached.)

Lawsuits aside, meridianEMR is trying to capitalize on the situation by talking about their EMR security monitoring system was what notified them of the breach attack by UroChart. They call it their Advanced Monitoring System (AMS) and say it responds immediately to any breaches attacks and protects patient records.

I’m not sure if it’s a smart move to use a breach of their system as a way to promote their ability to protect patient records. I guess they can argue that their monitoring service was what protected their patient records. However, the lawsuit is claiming that patient records were at risk. I don’t think that’s something any EMR vendor wants tied to their name, is it?

Marketing strategy aside, this security monitoring service is interesting and I can’t say I’ve really seen something like it in any other EMR system. Sure, they all have some sort of audit tracking and trail. However, I think most EMR vendor’s strategy is not detection, but prevention. They harden their systems using the best techniques, but don’t do much to try and detect breaches. Should that be changed?

One problem with breaches is that good hackers know how to even avoid the detection part. I still remember when my friend showed me how he had hacked into a server and you could see him logged in. Then, he ran a script and you couldn’t see him anymore. I guess if you compare it to the physical world, it’s like having a camera watching the front door, but no camera on the back door. However, in the digital world there are lots of different doors, including those we don’t know about.

Some might argue that ignorance is bliss in this instance. Sure, no EMR vendor is going to admit that in public. Neither is a doctor. However, the regulations have made it pretty harsh when you know that there’s been a breach of your system. You basically have to make it known to all the world. However, if you don’t know that your EMR system has been compromised, then you have no such requirements.

I’m sure some people won’t like me saying this, but be sure that many doctors and EMR vendors have thought about this. I’m sure there were parallels in the paper world too. So, let’s not act like this is really that new. Although, certainly technology has made it possible to have much larger breaches.

One thing worth noting is that I haven’t seen a group of healthcare hackers forming. There’s no underground group of people that I’ve heard of that are trying to hack and get access to healthcare data. Financial data is much easier to monetize for a hacker than healthcare data. That’s not to say that healthcare data isn’t valuable and can’t have consequences if it’s put in the wrong hands. However, most hackers do it for the Lulz, for financial gain, or vengeance. Things could certainly change, but I haven’t seen healthcare as a prime target for hackers. I’d love to see if you have evidence that says otherwise.

If you evaluate the list of breaches that are published by HHS, this seems to agree with my above evaluation. Almost every single breach was just due to something being lost, a physical device being stolen (which you can almost guarantee they wanted the laptop and not the healthcare data which they probably didn’t even know was on the laptop), or inappropriate use by someone on a system already.

It will be interesting to see how these EMR security monitoring systems evolve. Plus, will we see more need for these type of protections and monitoring of EMR systems?

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Excellent Article John! I would be very interested to see more EMRs have security monitoring built into them. Many practices do not review the audit logs and have no idea if they have experienced a data breach. Proactive systems to monitor access and audit logs would be a welcome addition.

  • Dear John

    I thank you for another excellent article!

    I think the most interesting point you raise is the concern with sensitive health data being kept on PC’s and especially if they are stolen. This would certainly be a problem if PC’s are discarded during an upgrade process also.

    Kind Regards, Joseph

  • Dr. J Grace and Art,
    Glad to hear you like the article. Amazing, but true that most practices don’t check their audit logs. In fact, I imagine there are plenty of clinics that have never seen their EMR audit log.

    Yes, data being kept on a PC is often where a lot of the breaches come from. Sad because it’s usually unnecessary to have healthcare data on a PC, but true.

  • John, I’m behind in reading your posts, so I only just saw this. I’ll follow up with you in an email with more details, but speaking as the IT Director of meridianEMR (as as a “Certified Ethical Hacker”), let me clearly state that NO DATA BREACH OCCURRED. What happened, and what the lawsuit is about, is that our competitor did indeed access the server (after having been given one of the passwords by the office administrator), then tried to hack into the encrypted patient data and into our software code. They were completely unsuccessful in doing so, even after attempting to clone the server. However, because all the data (as well as our software) was fully encrypted, they were not able to get anywhere and gave up soon after trying (but not after instructing the office administrator to destroy the clone of the server).

    What our monitoring detected was their ATTEMPT to hack into the server, and their success in logging on to the base OS of the machine itself. However, NO PATIENT DATA WAS EVER ACCESSED.

    (That press release is a good example of what happens when sales people try to get involved in technical issues. They were trying to highlight one of the strengths of our system — that we try to watch EVERYTHING on all our client machines using a range of tools on a 24×7 basis, and respond immediately when anything unusual is detected, but calling it a “breach” in an EMR world brings in all sorts of nasty meanings that don’t apply in this case.)

  • Thanks for commenting Bill. I’ll update the post with a link to your description of what happened and modify a bit of the terminology in the article. I appreciate you stopping by to clarify what happened.

  • John, thanks for updating the post. (We have all sorts of procedures in place to monitor our servers and the patient data but it looks like we need to put some procedures in place so our press releases get reviewed by anyone involved before they go out…)

    btw: Keep up the great work! (Just discovered your RSS feed; now I can read your posts on a more timely basis.)

  • Bill,
    “looks like we need to put some procedures in place so our press releases get reviewed by anyone involved before they go out”
    Thanks for the good laugh. It definitely could have been my interpretation of what they sent me too. Obviously I didn’t dig that deep into what really happened. Either way, I’m happy to get the full story out there. That’s my goal.

    Also, thanks for following my feed. You should also add: http://feeds.feedburner.com/HealthCareSceneBlogNetwork and http://feeds2.feedburner.com/EmrAndEhr Then you’ll have all of the HealthcareScene.com network of feeds. Well, almost all of them.

Click here to post a comment