Skip to content Skip to navigation

Washington Debrief: OIG Report Says Certified EHRs Lack Necessary Security

August 11, 2014
by Jeff Smith, Senior Director of Federal Affairs
| Reprints
Jeff Smith, Senior Director of Federal Affairs

Top News

ONC Provides New Details on 10-year Interoperability Roadmap

Key Takeaway: At Tuesday’s health IT policy committee meeting and in an accompanying blog post, the Office of the National Coordinator for Health IT (ONC) shared additional details about its 10-year vision for interoperability and announced the interactive Nationwide Interoperability Roadmap Community to capture stakeholder feedback.

Why it Matters: In June, ONC released their interoperability vision paper entitled, “Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure.” At the health IT policy committee meeting on Aug. 6, 2014, additional details were shared concerning the development and goals of a nationwide interoperability roadmap to accompany ONC’s vision paper.

ONC launched the interactive Nationwide Interoperability Roadmap Community to allow stakeholders the opportunity offer input, raise questions and provide use cases during the formation of roadmap. Stakeholder comments are due September 12, 2014.

ONC describes the roadmap as a detailed plan for improving the exchange of health data between health IT systems. This roadmap will supplement the interoperability vision paper and detail how the nation can collectively achieve the 3, 6, and 10 year interoperability milestones.

ONC will present the draft roadmap at the joint Federal Advisory Committee meeting in October. The draft roadmap will be posted for public comment in early 2015. ONC expects to have the roadmap completed in March 2015.

OIG Report Finds Certified EHRs Lack Necessary Security

Key Takeaway: A report from the Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) found that ONC’s authorized testing and certification bodies (ATCBs) neglected to comprehensively ensure that test procedures and standards adequately protect patient information contained in certified electronic health records (EHRs).

Why it Matters: According to the OIG report released this week, ONC’s certification standards for electronic health records may not properly protect patients’ health information, citing password complexity and user privilege changes as specific areas of weakness.

The report also questioned the NIST (National Institute of Standards and Technology) testing requirements, saying testing was not sufficient to guarantee EHRs would adequately secure and protect patient health information.

OIG recommend that ONC strengthen EHR test procedure requirements to address such issues and to ensure providers have EHR systems that have adequate security and privacy features.

ONC officials responded to OIG, stating that the ATCBs in question are no longer involved in the ONC Certification Program, adding, that with the new 2014 Edition EHR Certification Criteria, strengthened test procedures for common security and privacy features of EHRs were instituted.

OIG disagreed with ONC’s response to the report, saying the 2014 criteria failed to require multifactor authentication. OIG argued that ONC needs the ability to decertify products if there are data breaches.


Final IPPS Rule has HIT Implications