Practices turn to cloud-based EHR for security, expertise

On-premise versus cloud-based EHR hosting? The answer is becoming more and more obvious. 

That’s no longer the case. A recent McAfee report found that 87% of companies experienced “business acceleration” from their use of cloud services, and that 52% experienced better security in the cloud than with on-premise IT.

When it comes to cloud-based EHR hosting, most organizations are extremely forthcoming about the facilities that house your data and the security protocols in place. It’s worth examining the specific protocols and tasks that secure data and how they might be handled in an on-premise environment such as your practice or surgical center, versus a cloud-based EHR environment such as Greenway’s.

Software patching

In an on-premise environment, the customer is responsible for applying all patches to software, apps, and operating systems in a timely manner. You must stay on top of the latest software for everything that makes your practice run — not just your EHR or practice management system, but the operating system and all your ancillary tools. That’s difficult to do without dedicated IT specialists.

Ethan Bing, Practice Administrator with Medical Colleagues of Texas, said one of the main reasons his practice moved to Intergy Hosted after it experienced a data breach was access to expertise.

"The decision to move to Intergy Hosted after the breach was obvious due to the many benefits, one in large part being the security experts that Greenway is able to provide,” he said. “A practice of our size — and even bigger — can't afford to have experts of that caliber working on our systems every day.”

"The decision to move to Intergy Hosted after the breach was obvious due to the many benefits, one in large part being the security experts that Greenway is able to provide. A practice of our size — and even bigger — can't afford to have experts of that caliber working on our systems every day."

Ethan Bing, Practice Administrator, Medical Colleagues of Texas

In the cloud, patching is Greenway’s responsibility. Our policies ensure that critical, high, medium, and low vulnerabilities are patched on a routine basis. For instance, Microsoft releases software patches on Tuesdays. Greenway tests and deploys those patches monthly. If there’s a critical patch, Greenway will schedule an out-of-band maintenance window to complete patching sooner. This is a much shorter window than most practices would be able to accomplish, considering the time and manpower involved.

Reboots are usually required after patching which, for most practices, Greenway can do with minimal to no downtime, and without overtime, meaning no negative impact on business.

Virus detection

When most people think of anti-virus, they think of the standard software from companies such as Symantec and MacAfee. These programs function from lists of known threats. When they identify one of the threats on the list, they alert you and spring into action. However, if a threat is new or unknown, there are other programs that can help you. 

Next-generation anti-virus goes beyond lists. It monitors system activity based on content and context. It looks at traffic coming into your network. It monitors how the operating system or system functions perform to identify anything out of the ordinary that might signal a threat. When it finds it, it can isolate the server involved to prevent the potential threat from spreading.

Unfortunately, most practices don’t have the budget, expertise, or manpower to harness this kind of threat protection. Cloud environments such as Greenway’s that work at scale, do.

Incident detection and response

Similarly, most practices do not have the level of IT maturity to develop and maintain endpoint detection response tools, policies, and procedures that streamline and automate incident response. It’s a significant undertaking. 

For our cloud environment, Greenway has a full team that routinely tests tools and procedures. When a threat is detected on any hosted environment, the team can quickly isolate the server, and they know who to contact, how to engage law enforcement, and how to get the right forensics teams engaged. Some of this requires contracts with outside entities — again, costs and resources that most practices cannot muster.

Infrastructure

The medical centers or office parks that house most practices are just as vulnerable to damage from earthquake, hurricane, flood, tornado, or fire as any other structure. 

In part one of Greenway’s three-part blog series on dealing with natural disaster, Cecily Sheats, Director of Business Operations at Internal Medicine Associates LLC, recalled how a 7.0 magnitude earthquake struck just a few miles from her practice in Anchorage, Alaska.

“As far as a specifically outlined contingency plan for something like this, we didn’t have it,” she said. “If we had, I think things would have been a little smoother.”

On-premise servers are just as vulnerable as any other component of a physical facility. 

Cloud hosting environments, meanwhile, are designed to withstand disaster. They have dual power feeds so that if main power is cut, there is an alternate source. They also have physical security and independent cooling in case of power failure. Some are even partially buried underground. 

24/7/365 monitoring

When a typical practice closes for the night, no one sticks around to monitor the network. But malicious agents don’t keep 9-to-5 schedules. That’s why Greenway works in conjunction with our hosting partners to provide 24/7/365 security monitoring of our cloud environment. It’s an additional set of eyes, always trained on your assets.

Why cloud-based EHR hosting makes sense

In a highly regulated medical environment that mandates data security — amid threats that demand constant vigilance — cloud hosting makes sense. It’s unrealistic to expect practices to maintain extensive IT staffs with specific knowledge in areas ranging from endpoint detection to incident response.

Cloud-based EHR hosting offers practices state-of-the-art data security, as well as incident detection and response, in a hardened, consistently monitored environment. Don’t let outdated concepts from years ago stand in the way of protecting your practice.