Just how well is patient data protected in today’s certified electronic health records (EHRs)? Not so well according to a recently published report from the Office of Inspector General. But, like many OIG reviews, this one had been “in process” for nearly two years leaving some industry experts to question the applicability of the findings to today’s performance by the ONC and even the vendors themselves.
The EHR certification procedure involves oversight from the Office of the National Coordinator for Health IT (ONC), with contributions from the National Institute of Standards and Technology (NIST). NIST is responsible for developing the standards by which testing and certification bodies evaluate EHR data protection controls in seven key areas: access control, emergency access, automatic log-off, audit log, integrity, authentication and general encryption.
So where does the ONC’s oversight fall short? The report suggests that the ONC failed to ensure that testing and certification bodies developed procedures that “periodically evaluated whether certified EHRs continued to meet federal standards.”
Since this review was performed, the ONC noted in its response that it has revised the ‘auditable events and tamper resistance’ certification criterion, adopted a new ‘end-user device encryption’ criterion, and strengthened requirements around capabilities for secure view, download and transmittal of health records by patients, and the transitions of care certification criterion, for transmission using Direct, requiring digital certificates and that transmitted files by encrypted.
ONC’s responsibility for oversight is a function of risk management – risk management upon which the entire industry relies. But this risk management is a process, and this process is a “team sport.”
The EHR vendors know that they need to improve their products to provide greater data protection. Some have been very assertive in this area while others have not made the investment in their products to prioritize data protection features. NIST needs to set the bar appropriately with testing procedures that separate those vendors that are diligent from those that are not. The ONC needs to establish EHR certification criteria that address an evolving landscape of security concerns and reflect best practices.
Not every EHR merits certification. It really is that simple. The industry needs to be able to rely on criteria that are worthy of the data that needs that needs to be protected as well as a testing process that leaves no room for doubt in the data protection veracity of the product.