EHR Security

In Case of Disaster, Break Glass

by Jerome Carter on April 30, 2012 · 0 comments

Backups are important. However, when things really go wrong, they alone are not enough.    “Disaster” may sound overly dramatic, but, in fact, catastrophic data losses are not rare.  Depending on where you live, floods, tornados, hurricanes or earthquakes are a fact of life.   Of course, man-made misery (e.g., viruses, tampering, sabotage) accounts for its share […]


Encryption, an Ounce of Prevention…

by Jerome Carter on April 16, 2012 · 0 comments

Increasingly, data breaches are in the news.  Reports of stolen desktops, lost jump drives, and misplaced laptops seem to show up constantly.   If it seems that you are now hearing more about breaches than in years past, you are correct, and the HITECH Act is probably the major reason. One component of the privacy/security provisions […]


The newly proposed rules for EHR certification, referred to by ONC as Certification Criteria for Electronic Health Record Technology, 2014 Edition, contains a few pleasant surprises that bode well for EHR users.   There are provider-friendly changes in how CEHRT is defined; a new security requirement that may help with data breaches; and comments on data […]


Technical Safeguards in Certified EHRs

by Jerome Carter on February 13, 2012 · 2 comments

As someone starting a new software development project, I have a keen interest in ensuring that my product does not create HIPAA headaches for users.  Complying with the Security Rule’s technical safeguards seemed like a good start, so I decided to review their implementation specifications while developing security requirements. The technical safeguards are covered in sections 164.312(a)-(e).   They […]


Choosing Malware Protection

by Jerome Carter on February 8, 2012 · 0 comments

Viruses, worms, and spyware are ever present.   Protection is essential, but it is difficult to make sense of all the various products.  Over the last six years, I have tried several: Norton, McAfee, MS Security Essentials, Zone Alarm, and AVG.  Last month I switched to Webroot Secure Anywhere. Before settling on a security suite, I […]


HIPAA Requirements for Meaningful Use Objective 15

by Jerome Carter on December 12, 2011 · 0 comments

Each of the three previous posts in this series addressed a different aspect of security: information security principles, HIPAA changes in the HITECH Act, and the components of the HIPAA security rule. The subject of this post is meaningful use objective 15, which states: Objective: Protect electronic health information created or maintained by the certified […]


The HIPAA Security Rule: Components and Compliance

by Jerome Carter on December 5, 2011 · 0 comments

The security rule was one of four provisions of the HIPAA law passed in 1996. The final compliance date for all covered entities was April 20, 2006.  Unlike the privacy rule provision of HIPAA, the security rule applies only to protected health information in electronic form (ePHI).  The security rule is independent of the EHR […]