Does Changing EMRs Make Security Vulnerabilities Worse?

I don’t have good statistics on hand, but changing EMRs isn’t unusual, and changing them a few times isn’t as rare as it should be.  Readers here know that this is a painful proposition for many reasons, including cost and the need to re-tool workflow over at minimum several months.

But I’ve noticed that few if any IT pundits talk about the security risks that must come from making such a shift. A few common sense issues come to mind:

*  Retraining staff:  Your overall security policy might not change, but the security workings of the new software may be somewhat different.  As staff reacclimates, there’s plenty of room for mistakes.

* Transferring patient information:  Whether you’re currently a Web-based EMR or one installed on site, you’ll have to transfer a lot of information to the new system.  What happens if the isn’t encrypted and locked down during or after the transfer?

*  Back door vulnerabilities:  If your existing installed software has any back-door vulnerabilities in it, they may remain or even become even more deeply buried when the new software is put in place.

* Re-establishing device security:  Whatever you’ve done to secure mobile devices may have been sufficient for your last system, but what about your new one?   Even cloud systems with strong back-end data protections aren’t going to make sure smartphones and iPads and laptops are secure against security breaches, and you may need to re-do protections for them.

In proposing these ideas, I’ve mostly envisioned what small- to medium-sized medical practices face. If the EMR change is from Cerner to Epic rather than a small-practice system to another, the problem is vastly more complicated.  Either way though, it isn’t a pretty picture.

So readers, if you were responsible for such a shift, what would your next steps be?  Do you have a transition security checklist you can share?

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.


  • I’d respond, obviously there are issues, but realistically most practices don’t understand these issues.

    Generally a practice relies on the EHR vendor to be safe/secure with their data.

    Though I’d say, I agree with this, I’d also say, make sure you have a solid associates agreement…just in case.

    Retraining staff on the security shouldn’t be an issue.
    The real issue here, is I’d doubt the staff had proper security awareness training in the first place.

  • Opting for EHR/EMR hosted by a service provider is likely to result in hike in service charges by the provider, since after a certain period it will be very troublesome to migrate all the patient data to some other service provider having a different platform. This might force the healthcare professionals/industry to shell out more money in continuing with the same provider.

    Final outcome, how many people will have access to the patient details when we talk of privacy. First only the doctor and his office staff had access. With hosted EHR/EMR not a single doctor will know who actually is handling the private data. There will be manpower turnover with an outside agency and more and more people will have access to the data officially they being employees of the concerned service providers.

    Does more and more people handling patient data mean privacy?

  • Just like maintaining an EMR… It all depends on the Policy of the organization that drives the operational decisions. Change can be good, if you take the attitude of blank-slate and thus can start clean with a complete Risk Assessment using realistic and modern risk evaluation.

Click here to post a comment