BMN Blog

Is your EHR application in the cloud or are you considering moving to a cloud based provider? If so ensuring that you know the providers processes for data backup, disaster recovery and overall security are extremely important.

Over the last 15 months one of the top 3 EHR providers and an Alabama based data center provider have been hit with Ransomware which resulted in breach reporting for multiple clinics and incalculable hours spent by clinic staff recovering from the incidents, not to mention the loss of revenue incurred. During the same timeframe 3 cloud based EMR providers had lengthy outages due to Amazon cloud services being unavailable.

Security breaches will occur as well as intermittent cloud outages no matter how strong the processes to alleviate them are. But having the knowledge of several critical items before you sign a contract for services will at a minimum, give you the knowledge of what to expect.

1. Where is the service located? – Is it in a certified state of the art data center? Some EHR providers partner with smaller cloud providers that may not have the resources to provide quality services. Get specifics, the more you know regarding where your data is stored, the better.
2. How often are internal and external security scans performed? Will the provider allow you to get the results in a format that you can understand?
3. Does the provider have and provide to you a detailed audit trail report showing when, what, who and where your clinic data was accessed?
4. HIPAA and HiTECH compliance – Does the data center follow the roadmap laid out and is it documented?
5. What is the guaranteed up time (typically referred to in the SLA) of the application? If the up time guarantee is not met in a given month what are the policies for remediation (partial refund, etc.)?
6. Is disaster recovery implemented? Where is it located? If so, how often is the primary data backed up to the failover site? In the event of a catastrophic loss of data at the primary location how long will it take to fully recover to the disaster recovery location?
7. Does the vendor provide Cyber insurance that not only covers them but also covers the clinic or supplements the clinics insurance should it be needed for a loss of revenue?

These questions will not prevent a “worse case” issue from occurring however if the answers are known and in your vendor contract they will at a minimum provide you with the information to be able to manage expectations should it occur and for those of you considering moving to the cloud, critical information on whether to do it.