OIG Questions Certified EHR SecurityReport Says Inadequate ONC Oversight Could Pose EHR Risks
A new report from a government watchdog agency says the Office of the National Coordinator for Health IT's initial oversight of electronic health record testing and certification bodies did not fully ensure that patient data within EHRs is protected.
The ONC designated six organizations to initially test and certify EHR software that qualifies for the HITECH Act's EHR incentive program, which is providing billions of dollars in payments to physicians and hospitals that "meaningfully use" certified EHR software.
At a minimum, certified EHRs must meet security requirements related to seven information technology areas: access control, emergency access, automatic log-off, audit log, integrity, authentication and general encryption.
The report from the Department of Health and Human Services' Office of Inspector General alleges that ONC's oversight of these testing and certification bodies did not fully ensure that test procedures and standards could help secure and protect electronic patient information contained in EHRs. Among reasons OIG cited for the deficiencies was a lack of training of personnel at these testing and certification organizations.
OIG's report recommends that ONC require certification bodies to develop procedures to evaluate if EHRs continue to meet federal standards and develop training programs for personnel to competently test and certify EHRs. It also recommends that ONC work with the National Institute of Standards and Technology to strengthen EHR test procedure requirements.
In its reply to the report, ONC says it's reviewing OIG's concerns and related recommendations. But it points out that it's already been taking steps to change and strengthen its EHR testing and certification program. The OIG review only covered ONC's temporary certification program that was in effect from June 24, 2010, to Oct. 4, 2012, and ONC's revamped, permanent certification program has been in effect since then. However, five of the six organizations in the temporary program have been approved to test and certify EHRs under the permanent program. Starting this year, providers and hospitals must use EHRs that are certified under the beefed-up 2014 Edition EHR Certification Criteria to achieve meaningful use.
In its review, OIG found that ONC's oversight of the testing and certification bodies did not fully ensure that the organizations:
- Developed procedures to periodically evaluate whether certified EHRs continued to meet federal standards, and;
- Developed a training program to ensure that their personnel were competent to test and certify EHRs and to secure proprietary or sensitive EHR information.
"The Authorized Testing and Certification Bodies' standards and procedures for testing and certifying EHRs met all NIST test procedure requirements that ONC approved," the OIG says. "However, those NIST test procedures were not sufficient to ensure that EHRs would adequately secure and protect patient health information; in particular, the procedures allowed ATCBs to certify EHRs that demonstrated the use of a single-character password during testing. In addition, the NIST test procedures did not address common security issues, such as, but not limited to, password complexity and/or logging emergency access or user privilege changes."
Inaccurate testing and certification of EHRs could potentially leave healthcare providers vulnerable to security risks, the OIG says. "Certification assures healthcare providers that the EHR has the capabilities needed, including appropriate record security and protection, for providers to participate in the [HITECH] programs. If insecure systems have been certified, providers and patients may have a false sense of security and assurance."
OIG says that as of Aug. 30, 2013, there were 3,590 certified HER systems available to healthcare providers, 95 percent of which were certified under the Temporary Certification Program for Health Information Technology.
In response to OIG's review, ONC notes that the ATCBs are no longer active in the ONC certification program and that testing and certification functions are now performed by separate entities. ONC also noted that it currently is using new "2014 Edition" EHR certification criteria that have "strengthened test procedures for common security and privacy features for inclusion in EHRs."
Responding to ONC's comments, the OIG notes, however, that it "does not agree that the 2014 Edition EHR Certification Criteria sufficiently address our security concerns regarding the temporary program."
An ONC spokesman tells Information Security Media Group that in addressing concerns over EHR security, "we substantially revised the 'auditable events and tamper resistance' certification criterion and we adopted a new 'end-user device encryption' criterion."
The ONC spokesman also notes that ONC has been strengthening security requirements for EHRs. That includes capabilities for secure view, download and transmittal of health records by patients, and the transitions of care certification criterion, for transmission using Direct, requiring digital certificates and that the files transmitted be encrypted.
"There's more to it than just the specifically called out privacy and security functionality that we have explicitly named certification criteria for,"
Additionally, ONC "will review OIG's ongoing comments before we determine appropriate next steps," he says.
Precautions for Healthcare Entities
Brian Evans, a senior managing consultant at IBM Security Services, says hospitals and physicians can take precautions if the OIG report makes them question whether the certified EHRs they've implemented are adequately protecting patient data.
"Healthcare entities are expected to already have conducted a risk analysis on their EHR and should be remediating issues identified through the process," he notes. Some examples of what they might identify include generic user accounts, inadequate audit logging and monitoring, outdated disaster recovery plans and a lack of encryption, he says.
Where's the Beef?
While the OIG report points out deficiencies in ONC's oversight of EHR testing and certification organizations, David Holtzman, a vice president at security consulting firm CynergisTek, says the review is outdated.
"OIG claims that one weakness of ONC's testing certification agencies did not continually evaluate the electronic health record systems once they were certified. OIG claims this would allow EHR vendors to make changes to certified technology that would weaken safeguards for protecting electronic protected health information," he notes.
"However, OIG never actually examined any EHR technology, much less provided even one example of where any vendor modified any technology in this manner. While the OIG claims that the revised standards established by ONC in the permanent certification program adopted by ONC are deficient, OIG did not engage in any substantive analysis or examination of the 2014 criteria before denouncing it as substandard. As the old saying goes 'Where's the Beef?'," he says.
"In the 2 years OIG spent writing its report, the temporary certification program and the testing standards have undergone substantial changes. In my view, this report does not provide much in the way of a meaningful, timely analysis of the the privacy and security safeguards in EHR technology," says Holtzman, a former senior adviser at HHS' Office for Civil Rights, which oversees HIPAA compliance.