[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


What server operating system should I use on EMR server?

Posted on 2011-09-26
Medium Priority
Last Modified: 2012-05-12
Hello Experts,

I am setting up a new EMR server for the company I work at and I want to know what a good operating system would be to use on it.  Would Linux be better since it is going to be hosting medical records?  The EMR software they are using now is "vision" and it is web based.  I believe they are going to be using the server to backup information and to use it as a network gateway.  Any reccommendations would be greatly appreciated.  Thanks.
Question by:Brent Johnson
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

ID: 36630303
Particularly in the medical industry with all of its regulations, the choice of OS should be driven by the vendor.  If they support e.g. RedHat Enterprise Linux 6 and MS Windows Server 2008 R2, those are your two choices.  Otherwise your system can be deemed non-compliant.

From that point your OS decision is based on the skill sets available to manage the server, any site-specific policies, business requirements, or security requirements.

I also don't think you should use an EMR system for anything except EMR.  Again, medical records are supposed to be protected fairly well, so it's easiest to demonstrate e.g. HIPAA compliance if the records are on a single-purpose system.

LVL 40

Expert Comment

ID: 36713563
You probably also need to pay attention to hardening the system, moving it into a secure place and restrict the methods & places where it can be reached from.

f.e. anly access using 2 factor authentication, from outside an office only using encrypted tunnels from presetup laptops etc. (No unencrypted local data on the laptop though).

Accepted Solution

klodefactor earned 2000 total points
ID: 36718473
Noci: a higher level of security is always nice, but for medical data it might be overkill to go to the lengths you describe.  Access via HTTPS generally suffices; no need to mess around with user VPN connections.  Two-factor authentication is nice but may not be required.

johnsonbrentw: My best advice is that you not take our word for specific implementation guidelines, because non-compliance can have severe repercussions for your company and possibly for you personally.  Review your organization's policies for managing patient data; create them if they don't yet exist.

Work closely with your business leaders and consult your software vendor, rather than creating policies and implementing systems on your own.

If you're in the US, start with an unofficial introduction (http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act), then continue with the U.S. Department of Health & Human Services WWW site http://www.hhs.gov/ocr/privacy/.  Canada and the EU have similar requirements.

LVL 40

Expert Comment

ID: 36720609
Depends how well the application is built I guess.
There's a lot of breaking in using sql-injection based attacks through web interfaces. to guard against it you need at least a very well written application, but extra shielding can help.
And VPN tunnels don't need to that big a burden. IPSEC has means to have additional authentication through radius f.e. ==> it's not that hard to use smartcard based access control.

You are talking about (very?) personal data of real people here... no need to get sloppy.

Expert Comment

ID: 36731521
Sloppiness isn't the issue.

Of course one would wish to build the most secure system one can, given the available time/money.  However, not all businesses will spend significantly more time or money than required by the due diligence "bar" for their industry and regulatory environment.

The key point is that tech people should never make such decisions on their own, *especially* where government regulations exist.  Yes, tech people should design, recommend, advocate, and defend strong technical solutions.  But business decisions should be made by the business, regardless of the industry.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the shift in today’s hiring climate (http://blog.experts-exchange.com/ee-blog/5-tips-on-succeeding-in-the-new-gig-economy/?cid=Blog_031816), many companies are choosing to hire freelancers to get projects completed efficiently and inexpensively…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question