Despite government efforts to certify otherwise, questions remain as to whether the Dept. of Health & Human Services Office of the National Coordinator for Health Information Technology is doing enough to ensure that commercially available electronic health record software programs are doing enough to secure patient information.
Concerns were raised by HHS Office of Inspector General (OIG) in a report released Aug. 4. The agency watchdog examined certification work conducted by authorized testing and certification bodies (ATCBs), which early on in the meaningful use program certified that electronic health records (EHRs) met established criteria that would allow doctors and hospitals to obtain Medicare or Medicaid incentive payments.
©stevanovicigor/ThinkStock.com
A new report questions just how secure electronic health record software programs truly are.
According to the report, as of Aug. 30, 2013, a total of 3,590 certified EHRs were available to health care providers, 95% of which were certified by ATCBs under a temporary certification program.
In examining the work done by ATCBs, the OIG found that oversight by the HHS Office of the National Coordinator for Health Information Technology (ONC) "did not fully ensure that test procedures and standards could adequately secure and protect patient information contained in EHRs," the report states. OIG claimed that the health IT office did not ensure that ATCBs "developed procedures to periodically evaluate whether certified EHRs continued to meet Federal standards and developed a training program to ensure that their personnel were competent to test and certify EHRs and to secure proprietary or sensitive information."
OIG notes that the ATCB standards and procedures met all National Institute of Standards and Technology (NIST) test procedure requirements that the ONC approved, but those procedures "were not sufficient to ensure that EHRs would adequately secure and protect patient health information; in particular, the procedures allowed ATCBs to certify EHRs that demonstrated the use of a single-character password during testing." NIST procedures also did not address common security issues, including password complexity and logging emergency access or user privilege changes.
In response to the draft, included as part of the report, ONC noted that ATCBs are no longer active in the certification. New certification criteria approved earlier this year have "strengthened test procedures for common security and privacy features for inclusion in EHRs." Additionally, ONC has "substantially revised the ‘auditable events and tamper resistance’ certification criterion, and we adopted a new ‘end-user device encryption’ criterion," as well as other security capabilities, according to a spokesperson. ONC will review the OIG’s comments before determining the appropriate next steps, the spokesperson added.
However, the OIG does not agree that the current certification regulations "sufficiently address our security concerns regarding the Temporary Program," such as multifactor authentication.
OIG also criticized the health IT office for not addressing the authority to remove EHRs from the market that are shown to have privacy and security flaws.
If an EHR "is exploited and used to conduct malicious activities, ONC is not able to remove the EHR, even temporarily, from the product list to prevent further purchases of it."