Everyone's to blame for weak EHR security

I fear the security of patient information in electronic health records has gone from bad to worse.

First we learn that more people are withholding information from their providers who use EHRs because they fear the systems won't keep their information confidential.

Now we learn that they're right. The U.S. Department of Health and Human Services' Office of Inspector General (OIG) has just revealed that the Office of the National Coordinator for Health IT's lax monitoring of the Authorized Testing and Certified Bodies (ATCBs) under the temporary certification program left certified EHRs vulnerable to hackers and other security breaches. That could compromise the integrity, confidentiality and availability of patient information stored and transmitted by a certified EHR. For instance, EHRs were allowed to use one character passwords.

Just one character to protect an EHR? Even my smartphone requires four. So why is this being allowed?

ONC's response to the OIG report was that the ATCBs were no longer active in certification and that it's using new certification criteria.

But aren't the ATCBs that were involved in the temporary certification program the same ones that are certifying the EHRs for Stage 2 of Meaningful Use? We don't know if they're protecting EHRs better now. Moreover, EHRs certified in the temporary program are still available to providers. As of August 2013, 95 percent of the certified EHRs being used were certified under the temporary program, according to the report.

And I'm not sure how much the new certification criteria actually improves EHR protection. For instance, while the 2014 edition of certification criteria does address privacy and security, it arguably expands access and risk by enabling messaging between providers and patients and providing patients with access to view, download and transmit their electronic information. It's supposed to be "secure," but we don't know that it is. Moreover, some of the security measures in the proposed rule for Stage 2 of Meaningful Use--such as using encryption as a default setting--were not included in the final rule.  

OIG came to the same conclusion.

"We do not agree [with ONC] that the 2014 Edition EHR Certification Criteria sufficiently address our security concerns regarding the Temporary Certification Program," the agency said. "For example, the 2014 criteria do not address common security issues that we identified in our review of the Temporary Certification Program, such as password length and complexity or logging emergency access or user privilege changes."

It's bad enough that so many covered entities fail to protect patient information, electronic and paper, in compliance with HIPAA due to user error, impermissible access by employees and inadequate training. Many of those breaches that compromise data can be avoided, or at least the risk can be reduced.

But it's very hard to protect electronic data from hackers who very much want patient information in order to engage in medical and financial identity theft.

That's why OIG is placing much of the blame here on ONC itself, for failing to ensure that the EHR certifiers were taking steps to make the electronic records more secure and for allowing the use of NIST criteria that didn't provide for baseline protections. It's weakening the protections and setting providers up for security breaches. Ouch. 

So who's responsible for keeping EHR data confidential and protected? The answer is everyone. No one is off the hook here. The problem is that no one is doing a very good job of it.

No wonder patients are afraid. They should be. - Marla (@MarlaHirsch and @FierceHealthIT)