OIG Finds Vulnerabilities in ONC’s Temporary EHR Testing Program
August 5, 2014 in News
The Office of the National Coordinator for Health IT failed to ensure that procedures and standards used for testing electronic health records under its temporary certification program kept patient information secure and protected, according to a new report by HHS’ Office of Inspector General, Health Data Management reports (Slabodkin, Health Data Management, 8/5).
Under the 2009 economic stimulus package, health care providers who demonstrate meaningful use of certified EHR systems can qualify for Medicare and Medicaid incentive payments.
ONC initially established a temporary certification program for EHR systems. Under the temporary program, health care providers seeking to meet meaningful use requirements needed to use EHR systems approved by ONC’s authorized testing and certification bodies, or ATCBs.
For the report, OIG reviewed security requirements and staff training at five of six ATCBs in the temporary program (McCann, Healthcare IT News, 8/5).
The OIG report stated, “The process of certifying EHRs is designed, in part, to give providers the confidence to know that patient health information is secure and protected,” adding, “Our audit revealed vulnerabilities with the temporary EHR certification program.”
Specifically, OIG found that ATCBs involved in the program failed to create:
- Procedures to periodically assess whether or not certified EHRs continue to meet federal standards; and
- Training programs to ensure that staff members were able to accurately test and certify EHRs and secure sensitive patient data.
According to the report, “These vulnerabilities could allow hackers to penetrate EHR systems, thereby compromising the integrity, confidentiality and availability of patient information stored in and transmitted by a certified EHR.”
In the report, OIG recommended that ONC:
- Develop periodic EHR evaluations and training programs for staff handling EHRs; and
- Collaborate with the National Institute of Standards and Technology to strengthen EHR screening procedure requirements (Durben Hirsch, FierceEMR, 8/4).
In a written response to the report, ONC noted that:
- ATCBs are no longer active in the agency’s EHR certification program and have been replaced with Authorized Certification Bodies and Accredited Testing Laboratories; and
- New certification criteria have been implemented that have “strengthened test procedures for common security and privacy features for inclusion in EHRs” (Health Data Management, 8/5).
However, OIG said the new certification criteria do not address certain security criteria and fail to meet some industry best practices, including multifactor authentication. OIG also noted that ONC does not have the authority to remove an EHR from the approved EHR product list unless the agency finds that an ATCB acted inappropriately (FierceEMR, 8/4).