OIG: ONC's EHR security oversight is weak

The Office of the National Coordinator for Health IT (ONC) carries much of the blame for EHRs being vulnerable to hackers and other security problems, according to a report from the Department of Health and Human Services' Office of Inspector General (OIG).

ONC's lackluster monitoring of the Authorized Testing and Certified Bodies (ATCBs) under the temporary certification program did not fully ensure that test procedures and standards could secure and protect patient information in EHR, according to the report.

Under the temporary certification program, the ATCBs did not develop procedures to periodically evaluate whether certified EHRs continued to meet federal standards or develop training programs to ensure that staff were competent to test and certify EHRs and secure proprietary and sensitive electronic patient information. OIG pointed out that standards used met National Institute of Standards and Technology (NIST) requirements that ONC approved, but that they were not sufficient to ensure that EHRs were adequately secure. For instance, passwords were not sufficiently complex.

"The process of certifying EHRs is designed, in part, to give providers the confidence to know that patient health information is secure and protected," OIG wrote. "Our audit revealed vulnerabilities with the Temporary EHR certification program. These vulnerabilities could allow hackers to penetrate EHR systems, thereby compromising the integrity, confidentiality and availability of patient information stored in and transmitted by a certified EHR."

OIG officials found that ONC failed to ensure that testing and certification bodies developed procedures that "periodically evaluated whether certified EHRs continued to meet federal standards," according to Daniel R. Levinson, U.S. inspector general. As a result, three out of the six certification bodies fell short with their procedures, which caused problems down the line.

"For example, after its initial certification, an EHR could be modified to conduct fraudulent activities, such as classifying a medical procedure as more expensive than it actually was," according to the report. The NIST test procedures failed to address serious issues with password complexity allowing authorization bodies to certify an EHR even if it had single-character password sign on.    

OIG also found these certification bodies were not required to have any training program in place that ensured staff were knowledgeable enough to both test and certify these EHR and to secure patient data. Only one of the six trained their EHR testers in NIST IT security.  

OIG recommended that ONC require ATCBs to develop procedures to better monitor whether EHRs met federal privacy and security standards and to develop procedures to train personnel. It also recommended that ONC work with NIST to strengthen EHR test procedure requirements so that ATCBs can ensure baseline security and privacy.