Solved

What server operating system should I use on EMR server?

Posted on 2011-09-26
5
124 Views
Last Modified: 2012-05-12
Hello Experts,

I am setting up a new EMR server for the company I work at and I want to know what a good operating system would be to use on it.  Would Linux be better since it is going to be hosting medical records?  The EMR software they are using now is "vision" and it is web based.  I believe they are going to be using the server to backup information and to use it as a network gateway.  Any reccommendations would be greatly appreciated.  Thanks.
0
Comment
Question by:Brent Johnson
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:klodefactor
ID: 36630303
Particularly in the medical industry with all of its regulations, the choice of OS should be driven by the vendor.  If they support e.g. RedHat Enterprise Linux 6 and MS Windows Server 2008 R2, those are your two choices.  Otherwise your system can be deemed non-compliant.

From that point your OS decision is based on the skill sets available to manage the server, any site-specific policies, business requirements, or security requirements.

I also don't think you should use an EMR system for anything except EMR.  Again, medical records are supposed to be protected fairly well, so it's easiest to demonstrate e.g. HIPAA compliance if the records are on a single-purpose system.

--klodefactor
0
 
LVL 40

Expert Comment

by:noci
ID: 36713563
You probably also need to pay attention to hardening the system, moving it into a secure place and restrict the methods & places where it can be reached from.

f.e. anly access using 2 factor authentication, from outside an office only using encrypted tunnels from presetup laptops etc. (No unencrypted local data on the laptop though).
0
 
LVL 4

Accepted Solution

by:
klodefactor earned 500 total points
ID: 36718473
Noci: a higher level of security is always nice, but for medical data it might be overkill to go to the lengths you describe.  Access via HTTPS generally suffices; no need to mess around with user VPN connections.  Two-factor authentication is nice but may not be required.

johnsonbrentw: My best advice is that you not take our word for specific implementation guidelines, because non-compliance can have severe repercussions for your company and possibly for you personally.  Review your organization's policies for managing patient data; create them if they don't yet exist.

Work closely with your business leaders and consult your software vendor, rather than creating policies and implementing systems on your own.

If you're in the US, start with an unofficial introduction (http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act), then continue with the U.S. Department of Health & Human Services WWW site http://www.hhs.gov/ocr/privacy/.  Canada and the EU have similar requirements.

--klodefactor
0
 
LVL 40

Expert Comment

by:noci
ID: 36720609
Depends how well the application is built I guess.
There's a lot of breaking in using sql-injection based attacks through web interfaces. to guard against it you need at least a very well written application, but extra shielding can help.
And VPN tunnels don't need to that big a burden. IPSEC has means to have additional authentication through radius f.e. ==> it's not that hard to use smartcard based access control.

You are talking about (very?) personal data of real people here... no need to get sloppy.
0
 
LVL 4

Expert Comment

by:klodefactor
ID: 36731521
Sloppiness isn't the issue.

Of course one would wish to build the most secure system one can, given the available time/money.  However, not all businesses will spend significantly more time or money than required by the due diligence "bar" for their industry and regulatory environment.

The key point is that tech people should never make such decisions on their own, *especially* where government regulations exist.  Yes, tech people should design, recommend, advocate, and defend strong technical solutions.  But business decisions should be made by the business, regardless of the industry.

--klodefactor
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
I've been asked to discuss some of the UX activities that I'm using with my team. Here I will share some details about how we approach UX projects.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question