Date of Award

Spring 2012

Degree Type

Thesis (Restricted access)

Degree Name

Master of Science in Information Technology Leadership (MS ITL)


Computer Science

First Advisor

Margaret McCoey


There is a growing trend to have small to medium-sized healthcare providers adopt certified Electronic Health Records (EHR) or Electronic Medical Records (EMR) systems as part of Federal Meaningful Use incentive programs to modernize the delivery of healthcare. The major barrier to adoption of these systems is the implementation cost. There are multiple providers of outsourced and cloud-based certified EMR or EHR systems who promise to provide security that meets the required standards, which are defined in the Health Information Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and the Meaningful Use financial incentive programs from the Center for Medicare and Medicaid Services. These solutions can provide healthcare practitioners with significant cost savings over hosting their own EMR system.

The addition of an EMR system to a medical practice adds significant risk and the potential for financial and reputational damage because an unauthorized data breach is equally great. The addition of any EMR system to any medical practice requires additional security and processes. The implementation of a cloud-based or outsourced solution does not immediately provide the security an organization needs to protect them. There are multiple other factors which affect the security of any medical office or EMR system that need to be addressed.

This provides a comprehensive solution set to address these issues and mitigate risks. This involves the development of a selection instrument based on federal regulations which can be used by small to medium-sized healthcare providers to determine if their choice of cloud-based EMR systems meets the requirements as stipulated under HIPAA, HITECH, and Meaningful Use. To address residual risk in the offices identified during the creation of the instrument, a vendor selection process based on the criteria in the instrument is used to find solutions to those issues. A recommended implementation strategy for a small to medium-sized healthcare provider is then provided. The benefits and lessons learned are then discussed along with salient points for the overall conclusion.


This capstone is restricted. Permission from the authors is required in order to access this document.