A Higher Security Standard for EHRsTesting for Tougher Interoperability, Security Requirements
A new, voluntary, private-sector certification program aims to help assure healthcare organizations that electronic health record and health information exchange software, as well as medical devices, meet tough security and interoperability requirements.
ICSA Labs, a unit of Verizon, in January will begin testing health IT products to certify that they meet the security and interoperability standard profiles of IHE USA, a non-profit interoperability standards deployment committee of IHE International, says Amit Trivedi, ICSA Labs' healthcare program manager.
IHE includes 575 members that collaborate to improve the way computer systems in healthcare share information.
ICSA Labs is also one of a handful of organizations authorized by the Office of National Coordinator for Health IT to test and certify that EHR software meets the HITECH Act electronic health record incentive program's software certification requirements.
Raising the Bar
Under the new, independent certification program, products will be tested and certified as meeting interoperability and security capabilities that, in many cases, exceed ONC's certification requirements, Trivedi says. "The certification is another means for healthcare organizations to evaluate products to make decisions based on their health information exchange needs," he says.
In recent months, some Republican members of Congress have questioned whether the HITECH progam's interoperability requirements are tough enough (see: Congress Gets HITECH Progress Report).
ICSA Labs will test health IT products for meeting IHE's security and interoperability profiles, including ATNA, or the The Audit Trail and Node Authentication (ATNA) Integration Profile. ATNA goes beyond the HITECH requirements for certification of EHR software, Trivedi says.
The new certification program may also help fill a gap in the security and interoperability requirements for EHR modules that some organizations will use to meet Stage 2 requirements for the HITECH Act incentive program, Trivedi says. Under the HITECH Act, healthcare providers can choose to use a "complete EHR" or a set of modular EHR products that, when combined, meet software certification requirements (see: Ensuring EHR Module Security, Privacy).
In Stage 1 of the HITECH program, which began in 2011 and continues through next year, EHR modules are required by ONC to meet a number of key privacy and security capabilities in order to be certified for the program.
However, for Stage 2 of the program that begins in 2014, ONC dropped those sweeping security and privacy requirements for each EHR module. Instead, in Stage 2, if healthcare providers take the modular EHR approach, they may mix and match products that, when combined, fulfill a "base" set of security and privacy attributes.
The onus is on healthcare providers to figure out if the combinations of module products they choose meet those base security and privacy requirements. Healthcare providers taking the modular EHR approach also need to be mindful that their module EHR products' security and privacy capabilities are compatible with the other modules used.
The new certification program can help healthcare providers address that challenge, Trivedi says. That's because products being tested and certified under this new program will need to meet a set of security and privacy capabilities that were included in the HITECH Stage 1 requirements, as well as other capabilities, such as ATNA, Trivedi says.
By purchasing products with this extra certification, healthcare organizations will gain added assurances about interoperability and security, he contends.
"This certification allows us to test against a higher bar for privacy and security, and higher level of health information exchange capabilities, including repositories," he says.
Assessing the Impact
While a new security and interoperability seal of approval might help healthcare organizations in vetting products, one security expert isn't convinced that EHR vendors will be racing to get another certification.
"I suspect EHR and other product companies would not ask for or want a new certification like this but would support it if required to do so," says Brian Evans, principal at Brian Evans Consulting.
Nevertheless, Evans thinks raising the security bar with a new certification is a good idea.
"I believe a more rigorous certification program is in order. I still encounter healthcare organizations throughout the country that cannot tell me how their EHR meets the [HITECH] meaningful use Stage 1 security requirements," Evans says. "For example, when asked what encryption algorithm the EHR employs ... the common response is that 'we do not know which encryption algorithm is available but we have a certified EHR so it had to meet this requirement'."
More information about the new certification program is available at the IHE website.