ONC’s EHR security provisions inadequate says OIG

Healthcare providers cannot attest to meaningful use unless they use certified EHR software. Providers purchasing certified EHR software tend to assume that a certified EHR has been rigorously tested and can be counted on to ensure protection of patient data. This assumption may not be valid according to a report recently issued by the HHS’ Office of Inspector General.

The report publishes the results of an OIG audit of the ONC’s EHR Certification Program, focusing in particular on structures and procedures for ensuring data security in electronic health records. The audit primarily reviewed the temporary program the ONC employed prior to 2014. This earlier, temporary program was carried out by a group of five certification bodies (ACTBs) accredited by the American National Standards Institute and the National Voluntary Laboratory Accreditation Program and the OIG found some troubling flaws in it. For instance, the OIG discovered that while the program was supposed to perform periodic re-evaluations of EHRs after their initial certification, this did not consistently happen. This means that some EHRs, which had been, since their initial certification, modified in ways that rendered them no longer compliant, and in some cases seriously non-compliant, remained – and may still remain — on the lists of certified products.

The ONC disagreed with the OIG report. The ONC claimed that since the temporary program has been replaced with the permanent one, which employs the 2014 Edition EHR Certification Criteria, the OIG’s critiques are no longer relevant. The OIG therefore went back to determine if problems with the temporary program had been corrected in the permanent program and found that many have not been. Among other concerns the OIG brought to light, the audit found that an EHR may be certified under ONC’s 2014 Certification Criteria – as under the earlier temporary program — with passwords as short as a single character. The OIG found another significant issue that has persisted from the temporary program. If an EHR has been hacked converting it into malware, the ONC certification program is, except in rare cases, is not authorized to decertify the EHR, even temporarily, to prevent sales of the product. The OIG report contains a set of recommendations addressing these and other concerns.

See Modern Healthcare article at “OIG faults ONC’s electronic health record security provisions,” and a copy of the OIG report.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*