What server operating system should I use on EMR server?
Hello Experts,
I am setting up a new EMR server for the company I work at and I want to know what a good operating system would be to use on it. Would Linux be better since it is going to be hosting medical records? The EMR software they are using now is "vision" and it is web based. I believe they are going to be using the server to backup information and to use it as a network gateway. Any reccommendations would be greatly appreciated. Thanks.
I am setting up a new EMR server for the company I work at and I want to know what a good operating system would be to use on it. Would Linux be better since it is going to be hosting medical records? The EMR software they are using now is "vision" and it is web based. I believe they are going to be using the server to backup information and to use it as a network gateway. Any reccommendations would be greatly appreciated. Thanks.
You probably also need to pay attention to hardening the system, moving it into a secure place and restrict the methods & places where it can be reached from.
f.e. anly access using 2 factor authentication, from outside an office only using encrypted tunnels from presetup laptops etc. (No unencrypted local data on the laptop though).
f.e. anly access using 2 factor authentication, from outside an office only using encrypted tunnels from presetup laptops etc. (No unencrypted local data on the laptop though).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Depends how well the application is built I guess.
There's a lot of breaking in using sql-injection based attacks through web interfaces. to guard against it you need at least a very well written application, but extra shielding can help.
And VPN tunnels don't need to that big a burden. IPSEC has means to have additional authentication through radius f.e. ==> it's not that hard to use smartcard based access control.
You are talking about (very?) personal data of real people here... no need to get sloppy.
There's a lot of breaking in using sql-injection based attacks through web interfaces. to guard against it you need at least a very well written application, but extra shielding can help.
And VPN tunnels don't need to that big a burden. IPSEC has means to have additional authentication through radius f.e. ==> it's not that hard to use smartcard based access control.
You are talking about (very?) personal data of real people here... no need to get sloppy.
Sloppiness isn't the issue.
Of course one would wish to build the most secure system one can, given the available time/money. However, not all businesses will spend significantly more time or money than required by the due diligence "bar" for their industry and regulatory environment.
The key point is that tech people should never make such decisions on their own, *especially* where government regulations exist. Yes, tech people should design, recommend, advocate, and defend strong technical solutions. But business decisions should be made by the business, regardless of the industry.
--klodefactor
Of course one would wish to build the most secure system one can, given the available time/money. However, not all businesses will spend significantly more time or money than required by the due diligence "bar" for their industry and regulatory environment.
The key point is that tech people should never make such decisions on their own, *especially* where government regulations exist. Yes, tech people should design, recommend, advocate, and defend strong technical solutions. But business decisions should be made by the business, regardless of the industry.
--klodefactor
From that point your OS decision is based on the skill sets available to manage the server, any site-specific policies, business requirements, or security requirements.
I also don't think you should use an EMR system for anything except EMR. Again, medical records are supposed to be protected fairly well, so it's easiest to demonstrate e.g. HIPAA compliance if the records are on a single-purpose system.
--klodefactor