By Aaron Morein
Healthcare providers must decide between two systems for maintaining electronic health records (EHR) and electronic medical records (EMR)–a cloud-based or a server-based system.
One deciding, and yet often abstruse, factor is security. In recent years, cloud-based EHR has increasingly replaced server-based EHR. By 2017, already two-thirds of health systems and hospitals had adopted cloud-based technology. This industry-wide shift to practice management software has left some wondering how the security of each system compares.
Cloud-based and server-based EHR–what’s the difference?
Cloud-based EHR is accessed through the web and is maintained by a third party known as a software as a service (SAAS) provider. Server-based EHR, also known as on-premise, is stored on a server internal to the practice. Cloud-based EHR is accessible on any device that has a secure connection, whereas server-based EHR is accessible solely from devices within the personal server.
Implementing a server-based system requires hardware and software installation and necessitates a local IT department for regular management and upkeep. On the other hand, a cloud-based system requires neither installation nor IT personnel, since it is internet-based, provides live IT support, and automatically updates. Cloud-based systems therefore are less expensive, less time consuming, and require fewer personnel.
The costs associated with server-based EHR come with two primary advantages: (1) non-reliance on internet connectivity, and (2), more control over infrastructure configurations–i.e. where and how data is stored.
How should internet reliability factor in?
Reliable access to EHR is an essential factor of clinical productivity. So, it makes absolute sense for a practice with highly unstable internet connections to avoid web-based EHR that rely on it. However, while cloud-based EHR cannot be accessed without the internet, it will not experience system crashes the way server-based systems do. There’s also less concern for physical security, like disaster and theft recovery and data backup. Both methods have their own potential for interruptions, so there is some gray area. The most remote practices with little to no internet connection will have to continue using a server-based system for the time being. From there, exactly how unreliable a practice’s internet needs to be to warrant a server-based system depends on factors specific to each practice, like local IT support accessibility and the resources they are willing to invest. For the majority of practices, however, cloud-based systems will provide access to EHR as or more reliably as server-based systems.
How do cloud-based systems keep EHR secure?
The HIPAA Omnibus Rule, enacted in 2013, requires those cloud-based vendors that store, receive, maintain, or transmit protected health information from health plans, providers, or healthcare clearinghouses enter what’s called a “business associate agreement”. Through this agreement, the vendor becomes contractually liable for this data’s security. Since this update, cloud-based vendors have ramped sophisticated security controls operated by experts. Let’s take a look at what they offer:
- Physical security at cloud-service provider plants.
- Firewalls that establish a barrier between internal and trusted networks and untrusted networks by monitoring incoming and outgoing traffic and filtering traffic based on a set of security rules.
- Intrusion detection systems that monitor activity within the network and analyze it for signs of violations of or threats to the security policy. Intrusion prevention systems use this information to preemptively block malicious remote file inclusions, block the offending IP address, and alert security personnel to the threat.
- Anti-virus software that prevents, scans, detects, and deletes viruses from the system.
- Identity and access management which verifies the right users have appropriate access to data.
- Automatic updates that ensure security by continuously staying ahead of potential vulnerabilities through patch maintenance. This feature also makes complying with changing regulations easy, too.
- Data encryption which ensures that if a data breach were to occur, it is indecipherable.
The same protective measures are in place regardless of the device one uses. For this reason, cloud-based systems are the only viable way to access EHR remotely without compromising security. This is in contrast to the server-based system, which is only securely accessible within the server–i.e., the practice itself. This affords practices with cloud-based systems the flexibility to accommodate remote and virtual healthcare, while maintaining HIPAA-compliance. Post-pandemic, this is a highly advantageous security feature.
Still, it is understandable why one may be reluctant to let a third-party determine where and how EHR are stored. Patients trust their healthcare providers to protect their personal information, and providers want to honor that trust. People have a tendency to assess risks to be lower if they are under their control. We know that this cannot be true, because it would be impossible for everyone to handle everything better than everyone else. Still, we are guided by this fallacy.
Hypothetically, a practice with a server-based system, absent of budgetary concerns and hellbent on replicating the same degree of impenetrability, could implement and maintain most of these security measures to a similar degree. In reality, it is highly impractical and unlikely.
The Bottom Line
The bottom line is that a cloud-based system is the most secure method for maintaining EHR while also being cheaper and technologically easier. A server-based system could not be expected to reproduce the same level of security, given the prohibitive amount of resources it would require. Practices based in remote areas with highly unreliable internet may need to opt for a server-based EHR for the time being. Considering advantages in cost, time, and security, cloud-based EHR is the best choice for most practices.