Hospitals and physicians need to ramp up their security scrutiny of electronic health records systems as a result of recent changes in the Department of Health and Human Services' certification of health IT products, says privacy attorney David Holtzman.
HHS will no longer have its contractors scrutinize most EHR security features, and it's ending random audits of certification compliance. Those changes mean EHR users must, more than ever, take steps to ensure EHRs truly offer all the security functions required to be certified for participation in federal incentive programs, Holtzman says in an interview with Information Security Media Group.
"My advice would be in the [EHR] acquisition process to ensure that there are appropriate protections in the acquisition agreement, as well as the terms-of-use agreement, to protect the healthcare organization from unintended consequences or defects in the EHR, as well as to have an opportunity to be indemnified against any damage or additional cost or expenses that are due to the purchase or receipt of an EHR that turns out to be not as advertised, or doesn't performed as attested," says Holtzman, a vice president at the consultancy CynergisTek.
"It is very unlikely that the hospital or the physician's office will be able to turn to HHS' Office of the National Coordinator for Health IT or their authorized certification body for assistance or relief," he says. That makes it critical to have "a well-planned, well-executed independent assessment and review by experts prior to - or just at the time - the EHR is being integrated into the operations of the organization," he says.
Health IT Program Changes
On Sept. 21, officials of ONC announced two major changes they said are designed to improve the certification program's efficiency and to "reduce the burden industrywide" (see Analyzing Changes to EHR Certification Practices).
One change allows testing procedures for 30 of 55 certification criteria for health IT products to be "self-declarations" by developers, instead of requiring those developers to have the features scrutinized by ONC-authorized testing labs. Among the 30 certification criteria are several security-related features.
The other significant change ONC made involves "exercising discretion for randomized surveillance of certified health IT products." So, instead of having ONC-authorized certification bodies conduct random surveillance on health IT products to help ensure compliance with certification requirements, the scrutiny with be "complaint-driven," ONC says.
Under the previous random surveillance program, ONC-authorized certification bodies - or certified contractors - found 108 health IT certified products "that did not comply with a requirement for certification," Holtzman notes.
"That meant that the product was under review and the developer or vendor had an obligation to either fix or withdraw the product from the certification program," he notes. "Since the beginning of 2016, 61 certified health IT products had been decertified."
Moving from proactive scrutiny of EHRs to to a reactive, complaint-driven process, Holtzman says, "calls into question what will be the impact on the public, as well as healthcare organizations, that are relying on the self-certification. I don't think it's sensational to say that there is every possibility that ONC's [previous] program of proactive review of products before they entered the marketplace saved lives."
In the interview (see audio link below photo), Holtzman also discusses:
- The most worrisome security features that EHR vendors can now "self-declare" for the certification of their products;
- Other factors to consider as the risk burden involving certified EHRs shifts from vendors to healthcare providers;
- The significance of a $155 million settlement earlier this year between federal regulators and EHR vendor eClinicalWorks in a case involving the company allegedly falsely claiming it met the HITECH Act EHR incentive program's certification requirements.
Holtzman is vice president of privacy and security compliance services at the consulting firm CynergisTek. Previously, the attorney was a senior adviser at HHS' Office for Civil Rights, which enforces HIPAA.