Poor ONC oversight left EHRs vulnerable to hackers

The Office of the National Coordinator for Health IT's lackluster monitoring of the Authorized Testing and Certified Bodies (ATCBs) under the temporary certification program did not fully ensure that test procedures and standards could secure and protect patient information in electronic health record, according to a new report by the U.S. Department of Health and Human Services' Office of Inspector General (OIG).

The report, released August 4, found that the ATCBs under the temporary certification program did not develop procedures to periodically evaluate whether certified EHRs continued to meet federal standards or develop training programs to ensure that staff were competent to test and certify EHRs and secure proprietary and sensitive electronic patient information. OIG pointed out that standards used met National Institute of Standards and Technology (NIST) requirements that ONC approved, but that they were not sufficient to ensure that EHRs were adequately secure. For instance, passwords were not sufficiently complex.

"The process of certifying EHRs is designed, in part, to give providers the confidence to know that patient health information is secure and protected," OIG stated. "Our audit revealed vulnerabilities with the Temporary EHR certification program. These vulnerabilities could allow hackers to penetrate EHR systems, thereby compromising the integrity, confidentiality, and availability of patient information stored in and transmitted by a certified EHR."

OIG is making good on its promise to step up its scrutiny of EHRs and the government's oversight of their use. Almost 32 million EHRs are known to have suffered security breaches within the past five years.

OIG recommended that ONC require ATCBs to develop procedures to better monitor whether EHRs met federal privacy and security standards and to develop procedures to train personnel. It also recommended that ONC work with NIST to strengthen EHR test procedure requirements so that ATCBs can ensure baseline security and privacy. 

ONC responded that these ATCBs were no longer active in certification and that it's using new certification criteria. OIG, though, noted that the 2014 certification criteria did not address specific security criteria nor meet industry best practices, such as multifactor authentication.  

OIG also expressed concern that ONC did not have the authority to remove an EHR from the approved EHR product list absent evidence of improper conduct by an ATCB.

To learn more:
- read the report (.pdf)