ONC Oversight of EHR Testing, Certification Falls Short
Under the Office of the National Coordinator for HITs purview, authorized testing and certification bodies (ATCBs) did not fully ensure that test procedures and standards adequately secured and protected patient information contained in electronic health records.
Under the Office of the National Coordinator for HITs purview, authorized testing and certification bodies (ATCBs) did not fully ensure that test procedures and standards adequately secured and protected patient information contained in electronic health records.
That is the conclusion of the Department of Health and Human Services Office of Inspector General. A just-released OIG review finds that ONC did not ensure ATCBs developed procedures to periodically evaluate whether certified EHRs met federal standards, nor did ONC ensure ATCBs developed a training program to ensure that their personnel were competent to test and certify EHRs and to secure proprietary or sensitive patient information.
The procedures allowed ATCBs to certify EHRs that demonstrated the use of a single-character password during testing," states the OIG report. In addition, the NIST test procedures did not address common security issues, such as, but not limited to, password complexity and/or logging emergency access or user privilege changes.
As of August 30, 2013, OIG discloses that 3,590 certified EHRs were available to healthcare providers, 95 percent of which were certified by ATCBs under the Temporary Certification Program for Health Information Technology (Temporary Program). Our audit revealed vulnerabilities with the Temporary EHR certification program, auditors conclude. These vulnerabilities could allow hackers to penetrate EHR systems, thereby compromising the integrity, confidentiality, and availability of patient information stored in and transmitted by a certified EHR.
To ensure that patient health information in EHRs is secure and protected, OIG in the report recommends that ONC require the ATCBs to develop procedures to periodically evaluate whether certified EHRs continue to meet federal standards and develop a training program to ensure that their personnel are competent to test and certify EHRs and to secure proprietary or sensitive EHR information. Auditors also recommended that ONC work with NIST to strengthen EHR test procedure requirements so that ATCBs can ensure during testing that EHR vendors incorporate a baseline set of security and privacy features into the development of EHRs to address common security issues.
In a written response to the OIG report, ONC states that ATCBs are no longer active in the ONC Certification Program and that testing and certification functions are now performed by separate entities in the ONC Health Information Technology Certification Program-- Authorized Certification Bodies and Accredited Testing Laboratories. ONC also stated that it currently is using new certification criteria--the 2014 Edition EHR Certification Criteria--that have strengthened test procedures for common security and privacy features for inclusion in EHRs.
The temporary certification program was sunsetted in October 2012 when the permanent program started. However, ONC fails to mention that the four certifying agencies for Stage 1 also have been certifiers for Stage 2. Further, OIG does not agree that the 2014 Edition EHR Certification Criteria sufficiently addresses its security concerns regarding the Temporary Certification Program. For example, the 2014 criteria do not address common security issues that we identified in our review of the Temporary Certification Program, such as password length and complexity or logging emergency access or user privilege changes, states the report.
Nonetheless, OIG does agree with ONCs statement that the adopted criteria strive to set certain common baselines. But, the report finds that ONCs baseline does not address certain specific security concerns and industry best practices. For example, multifactor authentication has been recommended by NIST since the publication of NIST SP 800-53 in February 2005, auditors state. However, ONC still did not require multifactor authentication in the 2014 criteria. Therefore, we continue to recommend that ONC strengthen EHR Test Procedure requirements to address such issues to ensure providers have EHR systems that have adequate security and privacy features.
That is the conclusion of the Department of Health and Human Services Office of Inspector General. A just-released OIG review finds that ONC did not ensure ATCBs developed procedures to periodically evaluate whether certified EHRs met federal standards, nor did ONC ensure ATCBs developed a training program to ensure that their personnel were competent to test and certify EHRs and to secure proprietary or sensitive patient information.
The procedures allowed ATCBs to certify EHRs that demonstrated the use of a single-character password during testing," states the OIG report. In addition, the NIST test procedures did not address common security issues, such as, but not limited to, password complexity and/or logging emergency access or user privilege changes.
As of August 30, 2013, OIG discloses that 3,590 certified EHRs were available to healthcare providers, 95 percent of which were certified by ATCBs under the Temporary Certification Program for Health Information Technology (Temporary Program). Our audit revealed vulnerabilities with the Temporary EHR certification program, auditors conclude. These vulnerabilities could allow hackers to penetrate EHR systems, thereby compromising the integrity, confidentiality, and availability of patient information stored in and transmitted by a certified EHR.
To ensure that patient health information in EHRs is secure and protected, OIG in the report recommends that ONC require the ATCBs to develop procedures to periodically evaluate whether certified EHRs continue to meet federal standards and develop a training program to ensure that their personnel are competent to test and certify EHRs and to secure proprietary or sensitive EHR information. Auditors also recommended that ONC work with NIST to strengthen EHR test procedure requirements so that ATCBs can ensure during testing that EHR vendors incorporate a baseline set of security and privacy features into the development of EHRs to address common security issues.
In a written response to the OIG report, ONC states that ATCBs are no longer active in the ONC Certification Program and that testing and certification functions are now performed by separate entities in the ONC Health Information Technology Certification Program-- Authorized Certification Bodies and Accredited Testing Laboratories. ONC also stated that it currently is using new certification criteria--the 2014 Edition EHR Certification Criteria--that have strengthened test procedures for common security and privacy features for inclusion in EHRs.
The temporary certification program was sunsetted in October 2012 when the permanent program started. However, ONC fails to mention that the four certifying agencies for Stage 1 also have been certifiers for Stage 2. Further, OIG does not agree that the 2014 Edition EHR Certification Criteria sufficiently addresses its security concerns regarding the Temporary Certification Program. For example, the 2014 criteria do not address common security issues that we identified in our review of the Temporary Certification Program, such as password length and complexity or logging emergency access or user privilege changes, states the report.
Nonetheless, OIG does agree with ONCs statement that the adopted criteria strive to set certain common baselines. But, the report finds that ONCs baseline does not address certain specific security concerns and industry best practices. For example, multifactor authentication has been recommended by NIST since the publication of NIST SP 800-53 in February 2005, auditors state. However, ONC still did not require multifactor authentication in the 2014 criteria. Therefore, we continue to recommend that ONC strengthen EHR Test Procedure requirements to address such issues to ensure providers have EHR systems that have adequate security and privacy features.