Secure and Accessible Electronic Medical Records: Setting
Up Your Own Reliable, Low-Cost Web-Based System
Table of Contents
records are often required at multiple sites, but secure data
transmission has been problematic for many providers and
organizations. This document describes a practical method for
using readily available, inexpensive software components to
build a electronic medical record system that is accessed
securely via the World Wide Web.
Operating System and Hardware
The system described here can be run under the increasingly
popular Linux operating system on ordinary IBM PC-compatible
hardware. The cost of hardware for a powerful system (without
monitor) should easily be less than $1,000.
The software required can be set up by someone with the degree
of computer expertise that is now commonly available among
advanced high school students. To ensure low cost and reliable
high quality, one may use open-source software packages.
Because the software improves rapidly with updates every few
months, including security updates, the latest versions should
be used. A standard Web browser running on any hardware can be
used to retrieve and input data from and to the server. Three
components are required for the server computer:
Equivalent Microsoft software (www.microsoft.com), that may be
less secure (www.cert.org), costs at
least $3,000 (Windows NT Server with 5 clients, $800 at
msstore.pparadise.com. Internet server suite (with SQL
server), $2,300 at
- A secure Web server. One popular choice is the
Apache web server (
www.apache.org) with the Raven security module (www.covalent.net). The Raven
module costs $357. The Apache server comes with a no-cost
license for unrestricted use. A less expensive secure server
is available from www.redhat.com
- A database server. The popular MySQL database
server (www.tcx.se) is a full-fledged
SQL database that differs in capabilities from Oracle largely
in its lack for transactional support (commit/rollback
The MySQL server comes with a no-cost license for unrestricted
use except for resale of the MySQL software itself. See the
Web site for details.
- A server-side Web script interpreter. The PHP
interpreter (www.php.net) is a
powerful script language whose interpreter can be build right
into the Apache Web server for enhanced speed.
The PHP package comes with a no-cost license for unrestricted use.
Creating Your Electronic Medical
After installation of the software components described above,
the following steps are required: (1) generation of a secure
Server Certificate using the software, (2) writing the scripts
that implement the user interface to the database, and (3)
creating the database structure and initializing it from
An open-source project to develop medical office software has
existed for about a year, and now appears to be reaching the
point of being useful. It is named The FreeMed Project and is
located at www.freemed.org. It
is based on Apache and PHP, the software described above, and
uses standard Web browsers for the user interface. At the
moment Freemed is available in German, French, Spanish, Italian
and Chinese as well as English.
This software is probably not useful for practical use in the
short term, but is a good basis for customization by an
consultant (see below).
Many organizations choose not to invest their professional time
in learning how to set up and install the above packages, and
similarly choose not to learn how to write the scripts
necessary to create an operational medical records system. In
these cases, consultants may be hired to perform these tasks as
well as to train staff in the operation of the new database
When selecting consultants, it is prudent to remember that the
consultant is offering a personal service. He or she must talk
at length with the client physicians and office staff to ascertain
how the database should be structured and how work should flow
through the user interfaces. Often this information is not
provided directly by clients, but rather must be inferred and
intuited from what the clients say and do. Thus, the
consultant's personality should mix well with the personalities
in the client office(s). The consultant should be prepared
to provide several prototype implementations, each a refinement
of the one before it, to allow the clients to see how the new
system will look and function, before actual implementation is
performed. It is wise to prepare a statement of work to be
performed to make sure that everyone has the same idea of what
the final product will be able to do.
It is reasonable to expect that the consultant will provide a
copy of the source code so that the client can have someone
else update and support the purchased system in case the
original client cannot. This source code can either be owned
by the client or, more likely, licensed from the consultant
with the right to make modifications for internal use.
The cost of preparation of an electronic medical system depends
on the complexity of the task. Readers should be sure to look
at turn-key systems in the market to see whether their needs
might be better met with such systems than with a
custom-tailored but perhaps less sophisticated system of the
type described here.
Comprehensive support for the Linux operating system is
available from IBM and from Hewlett-Packard, as well as from
less well-known companies such as LinuxCare.
Support for custom-written software should be available from
whomever wrote it, for a reasonable annual fee.
For questions or comments on this document, please email firstname.lastname@example.org.
Copyright © 2000
All Rights Reserved.