How MEDITECH’s approach to cybersecurity ensures safety for patients, providers, and organizations

April 23, 2024 |  Security, Big Data, C-level, Healthcare IT, MaaS, Ransomware

MKT17789BlogCyberwithdesign (1)

Following the recent ransomware attack on Change Healthcare, many healthcare organizations are rightly reviewing and considering their cybersecurity posture — and that of their EHR vendor.

At MEDITECH, we work to meet or exceed all industry-standard security best practices in our corporate operations and in the products and solutions that we develop and deploy. 

We’ve also worked closely with our customers and vendor partners to ensure that data is kept secure, the EHR infrastructure is maintained continuously, and threats can be identified and mitigated before causing harm.

Along with our commitment to always adhere to legal and regulatory requirements governing protected health information (PHI), MEDITECH remains focused on our ultimate priority: keeping patients safe.

Whether you’re a newer customer or you’ve been with us for decades, you can trust that our products and services keep your data secure and protected from threats.

Committed to security, for ourselves and our customers 

Security has always been top of mind at MEDITECH, and we built the Expanse platform for organizations of all sizes that also safeguards their data. 

These safeguards include password protection and authentication, role-based access control (RBAC), audit trails that track user and patient activity, dictionary edit tracking, and activity logs specific to each program, such as clinical applications for patient information and financial applications for claims and payment processing.

Because Expanse is a web-based platform, we’ve configured our web server to work only with current and secure versions of TLS and accompanying cipher suites. 

We maintain our cloud environment to meet the latest ISO standards, with our deployment, maintenance, and monitoring processes currently certified as meeting ISO 27001 standards, and additional controls satisfying ISO 27017 and ISO 27018. 

Shared responsibility model with MaaS

Over the last few years, our MEDITECH as a Service (MaaS) subscription solution has grown to include more than 100 hospitals and health systems around the world, delivering all the benefits of Expanse without needing large upfront investments. 

MaaS also provides a shared responsibility model for cybersecurity, where we manage and protect infrastructure, giving customers full control over access to their data and freeing them up from the cost and time needed to maintain the system.

In one recent case, Mile Bluff Medical Center subscribed to MaaS and moved its data to the cloud, reducing the organization's need to manage their infrastructure.

“We didn’t have to buy more hardware on the server end of things. Our computer room is quite full already, so that was definitely a benefit to reduce the size of that footprint,” said David Spence, Director of IT at Mile Bluff. “This transition has allowed us to focus on other elements in our environment and better respond to our organizational needs.” 

MEDITECH also works closely with Google Cloud to offer a secure, cloud-based data center, providing another layer of protection for patient records. 

By taking on the responsibility to oversee the organization’s EHR data security, MEDITECH can quickly respond to incidents like ransomware and implement effective disaster response protocols, allowing us to meet aggressive recovery time objectives (RTO) for the hospital’s primary data. 

Keeping customers informed and prepared

In addition to our MaaS subscribers, many customers maintain on-premise data centers, which usually requires additional staff and resources to monitor, maintain, and patch their data infrastructure.

MEDITECH works closely with customers’ IT staff to help them maintain a robust cybersecurity posture for early detection and containment of threats, effective forensic reviews, and successful coordination with law enforcement when appropriate. 

We also publish regular newsletters with updates on vulnerabilities, advisories, and major incidents — so whether you manage your own system or have MEDITECH take the lead, you can stay informed with the latest news and trends in health IT. Customers can subscribe here.  

Our information security portal for customers includes a list of resources that anyone involved in health data security — from IT directors to executives — can use to inform their decision-making and refine their approach, including:

A fairly new agency, CISA is charged with leading federal cybersecurity efforts and coordinating the work to improve the security and resilience of the country’s digital infrastructure.

CISA recently retired the former US-CERT (U.S. Computer Readiness Team) and ICS-CERT (Industrial Control Systems Computer Readiness Team) advisory systems, combining them in a single web page on the CISA website.

Not to be confused with CISA, this nonprofit organization offers a wide range of informative resources, including benchmarks and controls that business and government entities can use to protect their data.

CIS developed this guide to Cybersecurity for Healthcare and Life Sciences that delves into the various types of threats that are unique to health systems, due to their handling of protected health information (PHI), and outlines a number of solutions that can address their vulnerabilities. 

A leader in cybersecurity training for over 35 years, SANS Institute recently announced a new training portfolio that offers shorter, scalable modules for users and cybersecurity teams.

The Institute’s new curriculum covers everything from cybersecurity fundamentals to cloud security to integrated risk management, with new certifications available in incident readiness and offensive tactics.

As hospitals and health systems continue to evolve, and new trends like AI are brought into healthcare IT, MEDITECH is committed to upholding the highest standards of security and safety for our customers, partners, and solutions.

If you have questions about how your organization is securing its data, or how you can manage your cybersecurity approach to be better prepared for adverse events, contact your MEDITECH account representative.


Meet MEDITECH's innovators and see how Expanse improves care.

Explore The Innovators Booklet

Written by Thomas Moriarty, CISSP, Manager, Information Security, MEDITECH

Tom Moriarty has more than 18 years' experience in the medical software industry, with 10+ years in Information Security. He has extensive experience in meeting the latest guidelines in security, with a strong concentration in the ISO 27000 family of standards. As Manager of Information Security at MEDITECH, Tom builds trusted relationships with strategic customers and manages complex cross divisional projects involving diverse parts of the organization.
Find me on: