Solved

What server operating system should I use on EMR server?

Posted on 2011-09-26
5
120 Views
Last Modified: 2012-05-12
Hello Experts,

I am setting up a new EMR server for the company I work at and I want to know what a good operating system would be to use on it.  Would Linux be better since it is going to be hosting medical records?  The EMR software they are using now is "vision" and it is web based.  I believe they are going to be using the server to backup information and to use it as a network gateway.  Any reccommendations would be greatly appreciated.  Thanks.
0
Comment
Question by:Brent Johnson
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:klodefactor
Comment Utility
Particularly in the medical industry with all of its regulations, the choice of OS should be driven by the vendor.  If they support e.g. RedHat Enterprise Linux 6 and MS Windows Server 2008 R2, those are your two choices.  Otherwise your system can be deemed non-compliant.

From that point your OS decision is based on the skill sets available to manage the server, any site-specific policies, business requirements, or security requirements.

I also don't think you should use an EMR system for anything except EMR.  Again, medical records are supposed to be protected fairly well, so it's easiest to demonstrate e.g. HIPAA compliance if the records are on a single-purpose system.

--klodefactor
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
You probably also need to pay attention to hardening the system, moving it into a secure place and restrict the methods & places where it can be reached from.

f.e. anly access using 2 factor authentication, from outside an office only using encrypted tunnels from presetup laptops etc. (No unencrypted local data on the laptop though).
0
 
LVL 4

Accepted Solution

by:
klodefactor earned 500 total points
Comment Utility
Noci: a higher level of security is always nice, but for medical data it might be overkill to go to the lengths you describe.  Access via HTTPS generally suffices; no need to mess around with user VPN connections.  Two-factor authentication is nice but may not be required.

johnsonbrentw: My best advice is that you not take our word for specific implementation guidelines, because non-compliance can have severe repercussions for your company and possibly for you personally.  Review your organization's policies for managing patient data; create them if they don't yet exist.

Work closely with your business leaders and consult your software vendor, rather than creating policies and implementing systems on your own.

If you're in the US, start with an unofficial introduction (http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act), then continue with the U.S. Department of Health & Human Services WWW site http://www.hhs.gov/ocr/privacy/.  Canada and the EU have similar requirements.

--klodefactor
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Depends how well the application is built I guess.
There's a lot of breaking in using sql-injection based attacks through web interfaces. to guard against it you need at least a very well written application, but extra shielding can help.
And VPN tunnels don't need to that big a burden. IPSEC has means to have additional authentication through radius f.e. ==> it's not that hard to use smartcard based access control.

You are talking about (very?) personal data of real people here... no need to get sloppy.
0
 
LVL 4

Expert Comment

by:klodefactor
Comment Utility
Sloppiness isn't the issue.

Of course one would wish to build the most secure system one can, given the available time/money.  However, not all businesses will spend significantly more time or money than required by the due diligence "bar" for their industry and regulatory environment.

The key point is that tech people should never make such decisions on their own, *especially* where government regulations exist.  Yes, tech people should design, recommend, advocate, and defend strong technical solutions.  But business decisions should be made by the business, regardless of the industry.

--klodefactor
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

#Citrix #POC #XenDesktop #vCenter #VMware #ESX
Stuck in voice control mode on your Amazon Firestick?  Here is how to turn it off!!!
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now