Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

What server operating system should I use on EMR server?

Posted on 2011-09-26
Last Modified: 2012-05-12
Hello Experts,

I am setting up a new EMR server for the company I work at and I want to know what a good operating system would be to use on it.  Would Linux be better since it is going to be hosting medical records?  The EMR software they are using now is "vision" and it is web based.  I believe they are going to be using the server to backup information and to use it as a network gateway.  Any reccommendations would be greatly appreciated.  Thanks.
Question by:Brent Johnson
  • 3
  • 2

Expert Comment

ID: 36630303
Particularly in the medical industry with all of its regulations, the choice of OS should be driven by the vendor.  If they support e.g. RedHat Enterprise Linux 6 and MS Windows Server 2008 R2, those are your two choices.  Otherwise your system can be deemed non-compliant.

From that point your OS decision is based on the skill sets available to manage the server, any site-specific policies, business requirements, or security requirements.

I also don't think you should use an EMR system for anything except EMR.  Again, medical records are supposed to be protected fairly well, so it's easiest to demonstrate e.g. HIPAA compliance if the records are on a single-purpose system.

LVL 40

Expert Comment

ID: 36713563
You probably also need to pay attention to hardening the system, moving it into a secure place and restrict the methods & places where it can be reached from.

f.e. anly access using 2 factor authentication, from outside an office only using encrypted tunnels from presetup laptops etc. (No unencrypted local data on the laptop though).

Accepted Solution

klodefactor earned 500 total points
ID: 36718473
Noci: a higher level of security is always nice, but for medical data it might be overkill to go to the lengths you describe.  Access via HTTPS generally suffices; no need to mess around with user VPN connections.  Two-factor authentication is nice but may not be required.

johnsonbrentw: My best advice is that you not take our word for specific implementation guidelines, because non-compliance can have severe repercussions for your company and possibly for you personally.  Review your organization's policies for managing patient data; create them if they don't yet exist.

Work closely with your business leaders and consult your software vendor, rather than creating policies and implementing systems on your own.

If you're in the US, start with an unofficial introduction (http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act), then continue with the U.S. Department of Health & Human Services WWW site http://www.hhs.gov/ocr/privacy/.  Canada and the EU have similar requirements.

LVL 40

Expert Comment

ID: 36720609
Depends how well the application is built I guess.
There's a lot of breaking in using sql-injection based attacks through web interfaces. to guard against it you need at least a very well written application, but extra shielding can help.
And VPN tunnels don't need to that big a burden. IPSEC has means to have additional authentication through radius f.e. ==> it's not that hard to use smartcard based access control.

You are talking about (very?) personal data of real people here... no need to get sloppy.

Expert Comment

ID: 36731521
Sloppiness isn't the issue.

Of course one would wish to build the most secure system one can, given the available time/money.  However, not all businesses will spend significantly more time or money than required by the due diligence "bar" for their industry and regulatory environment.

The key point is that tech people should never make such decisions on their own, *especially* where government regulations exist.  Yes, tech people should design, recommend, advocate, and defend strong technical solutions.  But business decisions should be made by the business, regardless of the industry.


Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally published Entrepreneur.com Booming numbers of freelancing professionals are changing the face of work. In the United States alone last year, the number of workers freelancing grew from 700,000 to 54 million, according to a Freelancers’…
Whether you believe the “gig economy,” as it has been dubbed, is the next big economic paradigm shift (https://www.theguardian.com/commentisfree/2015/jul/26/will-we-get-by-gig-economy) or an overstated trend (http://www.wsj.com/articles/proof-of-a-g…
The Bounty Board allows you to request an article or video on any technical topic, or fulfill a bounty request to earn points. Watch this video to learn how to use the Bounty Board to get the content you want, earn points, and browse submitted bount…
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question