Are Web-Based EHRs Safe?


The most common reason people give for being reluctant to switch to a web-based EHR is safety. When we’re charged with protecting something – in this case, our clients’ records – most of us intuitively feel safer with something we can see and touch; something physical within our own office where we can maintain control of security ourselves. However, despite this subjective sense of safety, Hurricane Katrina taught us all a valuable lesson about the danger of keeping client records on paper. Floods, tornadoes, fires and other types of disasters can destroy paper records in a heartbeat. If you do maintain paper records, at the very least, you should have backup copies of everything – and those copies should be stored at a completely different location – preferably far away from where your paper records are stored.

The question then becomes, what kind of copies do you make and where do you store them? You can certainly use a copy machine and make paper copies of your records, but that’s both costly and cumbersome in terms of paper, ink, and additional space to store everything. Digital records, on the other hand require little to no room to store, although it can be time-consuming to scan all of your paper documents to get them into digital format. Once you have them in digital format, what do you do with them? All types of digital storage media (computers, external hard drives, thumb drives, CDs, etc.) degrade over time. This means if you choose to store your digital files on some type of physical media that you maintain yourself, you’ll have the task every few years of making copies of your copies to ensure that all of your client data is still good. All of this becomes rather daunting, no matter how you look at it.

An obvious solution is to just not generate paper documents. Keep all – or at least most – of your client records in digital format on the Web from the very beginning. This is a huge leap for many – it’s changing the way they’ve done things comfortably their entire careers and, intuitively, it just doesn’t feel safe. However, before just assuming that records kept on the web are less safe than records kept in your office, let’s look at some facts:

Data States on the Web: Data in Motion vs Data at Rest

There are two possible states for data on the web:

  • “Data in motion” is the term used to describe data as it travels back and forth between the computer issuing the request (e.g., you at your personal computer or tablet) and the server you’re trying to reach (e.g., a web-based EHR).
  • “Data at rest” is when the data is just sitting there on either your computer or the server.

Security Issues with Data in Motion

As long as the website you’re accessing starts with “https” instead of just “http”, data in motion is generally safe. The https protocol indicates that the website is working in conjunction with another protocol, Secure Sockets Layer (SSL), to transport data safely. Here are some facts about SSL:

It appears, then, that data in motion – as long as the website you’re using has SSL – is generally accepted as being secure. When we hear of data being hacked and/or of large data breaches, the culprit is with data at rest.

Security Issues with Data at Rest

To review, data at rest is when the data is just sitting on a computer or other device. The device might be your own personal computer, tablet or even your phone – or it might be the computer (i.e., server) where your web app lives. (Servers are just computers that have certain software on them that enable them to “serve” a web page to you when you request it. In other words, you type www.google.com into your web browser and one of Google’s servers opens that page, i.e., “serves” it to you.)

Consider this: if you’re storing client records on your computer, even if it’s in a desktop EHR (i.e., the program is actually installed on your computer), there are two possible places data at rest might be vulnerable: your computer and the server. However, if you’re using a web-based EHR – unless you specifically download files from the app or store other client records on your computer – NO client data is stored on your machine. All of your client data is on the web. This effectively eliminates 50% of the possible concerns for data at rest breaches. The initial implication here is that, contrary to popular belief, web apps may actually be SAFER ways to store client records. But let’s dig a little deeper.

Most of us fear hackers. We hear about them in the news, they’ve successfully hacked into some pretty scary – and presumably secure – websites, so we assume they’re the major worry with data breaches on the web. However, this is not the case. Hacking actually accounts for a very small percentage of reported healthcare data breaches. One author who has analyzed healthcare breach data notes that the media most often involved in breach incidents are laptops and paper, i.e., NOT servers.

The HITECH Act requires the Secretary of HHS to post a list of breaches of unsecured protected health information affecting 500 or more individuals. To make it easier to see trends, I downloaded the entire list into an Excel sheet so I could group breaches by type and came up with the following table (this data was collected from 2009-2013):

Notice that theft and loss account for 72% of the reported breaches. The thing that most people fear – hacking and/or IT incidents – only accounted for 2% of the breaches. Also, although I didn’t include the “Location of Breach” column in the table, glancing at the original data seems to confirm what the above author concluded, i.e., that the largest percentage of these thefts or losses are from either paper records or laptops.

Furthermore, as of mid 2015, none of the EHRs made specifically for behavioral health practitioners in private practice had ever reported a breach of any kind, nor had any of the clearinghouses used by EHRs reported breaches. This certainly isn’t meant to imply that it couldn’t happen. However, as you can tell from the data presented so far, most breaches are caused by people – people stealing or misplacing client files or data, people disposing of records improperly, people missending emails, people leaving records in public view and failing to secure them properly. It makes sense then, that companies with larger number of employees will be more likely to have breaches. Companies that specialize in behavioral health EHRs tend to be small, which, in some ways may serve to minimize their risk.

Also, even though the data shows that hacking incidents are fairly uncommon, if I were a hacker and I wanted to obtain healthcare data, I’d choose a target where I stood to garner the most records – insurance companies, large hospital complexes, etc. Even IF, for some reason, I wanted to target EHRs, I’d go after the large scale medical EHRs. I wouldn’t waste my time with EHRs that are specifically made for behavioral health. Could it happen? Yes. Is it likely? No.

What We’ve Covered So Far:

  • Data in motion is secure. Data breaches, when they occur, happen with data that’s just sitting on either your computer or a server.
  • If you use a web-based EHR as opposed to a desktop application, that eliminates your computer, i.e., 50% of the security risk.
  • Most healthcare data breaches occur as a result of either theft or loss. The most common items that are lost or stolen are laptops and paper records.
  • As of mid-2015, no behavioral health EHR made just for private practice had reported breaches of any type.
  • Hacking or other IT incidents only account for about 2% of all breaches. Furthermore, there’s some reason to think that behavioral health EHRs made just for private practice might be unlikely targets for hackers.

Summary

Nothing is 100% safe. If you store your client records in your office – either as paper records or on your computer – your office could catch fire and burn. If you had gone to the trouble to keep backup copies of everything in your home, a tornado or other natural disaster could destroy both your home and your office. The same can be said for digital records stored by EHR companies.

However, EHRs that use reputable web server companies have built-in protections provided by the companies themselves, that are difficult to replicate by individuals. For example, PSYBooks is stored on servers that are provided by Amazon. AWS (Amazon Web Server) data centers have military grade perimeter control as well as other natural boundary protection. Physical access is strictly controlled by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and monitored. Furthermore, Amazon offers backup servers at “redundant co-location facilities the are geographically dispersed” to help ensure that even if a catastrophic event happened in one part of the country, you would have a backup available in another part of the country. It’s pretty unlikely that any of us in private practice would be able to match Amazon’s level of security for the computers we maintain in our homes or offices.

It seems reasonable to conclude that despite the fact that nothing is 100% safe, using web-based EHRs made just for behavioral health providers in private practice may well be the safest option you can choose.