The tech news the last few days has been all about the “hacking” of the iCloud from which many pictures of famous people were accessed and published on the internet.
Not mentioned in the reporting of this “hack” is all the personal information that was probably also gathered beyond the more interesting mentions of naked photos.
Why do I keep placing quotes around the work “hack”?
Well, what needs to be clarified is that Apple’s iCloud wasn’t exactly hacked, people’s individual accounts were hacked.
Does this differentiation really matter? Yes. It matters for a few reasons. Other than some minor checks in the iCloud system that could be handled better, it appears that iCloud is as secure as can be expected. Noting that individual accounts were hacked is important because it shows most peoples’ lack of understanding of security and unrealistic reliance on a service.
What I mean by this is, users of iCloud generally don’t “get it” that by placing their information on the cloud, they are making access to this information easier, not just for them, but for others to gain access to said information. Its a bit like that key many of you keep under a door mat at your house. Every day you lock your house, but if someone really wants access to your house, they could search around and find that key, then easily enter your house. Note: You should not leave a key under a mat at your house.
The unrealistic reliance on a service is simply the impression that Apple give users: our stuff is elegant, beautiful and easy to use, therefore everyone is going to be OK.
Just because you are a fan of whatever hardware or software you use, doesn’t mean that hardware or software is flawless, and it doesn’t mean you can slack in your security efforts and responsibilities.
How does all of this apply to your EHR?
There is a big push by vendors to have all users on the cloud version of their EHR. The “why” argument is not worth going into right now…just realize it is happening.
For most vendors one of the big selling points on going to the cloud is security.
The reality of a cloud based EHR vs. a client server based EHR is that security is no different…that is, security should be no different.
Security should be no different because all users should be ensuring the following best practices are implemented – whether using a cloud based EHR or client server based EHR:
- Strong passwords must be used
- Passwords should be changed at least quarterly
- No sharing of username or passwords (not even the provider or practice administrator should know everyone’s password)
- Swift action of the Employee Termination Checklist (you have one of these…right?) which must include depriving access to the computer network and EHR accounts of the terminated employee
- If you have an in house server, ensure it is either in a locked room or a locked server enclosure – if using a cloud based EHR you should also confirm the security of the data center.
Aside from the last bullet above, the basic security essentials are the same whether using a cloud-based EHR or client-server based EHR.
Either way, it is your responsibility to have the proper policies and procedures in place to ensure you and your staff operate in a compliant and secure way.