InfoGard Offers Two New EHR Services - Breach Gap Analysis and Designing for Compliance Training - to Advance Breach Safe Harbor

SAN LUIS OBISPO, Calif., Oct. 5 /PRNewswire/ -- InfoGard (, an ONC-Authorized Testing and Certification Body (ONC-ATCB) and NIST accredited IT security laboratory is pleased to announce two new offerings that promise a sea change in the mostly unaddressed but critical area of patient data breaches. The compelling statistics on patient data breaches depicted on the HHS Office of Civil Rights (OCR) website ( point up the urgency with which the Electronic Health Record (EHR) industry needs to address this rapidly expanding problem.  The incidence of lost or stolen media, including laptops and hard drives is a major contributor to these breaches. Recent surveys indicate that preventing data breaches is the number one priority of hospital CIO's. This strongly underscores the importance of protecting EHR data from breaches, something the industry has yet to properly address.

In the recent Interim Final Rule on Breach Safe Harbor (45 CFR Part 160 and 164), a safe harbor is provided for those providers whose EHR systems comply with specified NIST guidelines for data at rest and data in motion. Currently, most EHR applications fail to meet these guidelines and many vendors are not aware that a safe harbor for breach exists.  Because of this lack of exposure to the range of NIST security standards and lack of awareness of a legal safe harbor for breach, EHR vendors are at a disadvantage in addressing Breach Safe Harbor for providers in their designs.

InfoGard is pleased to announce two offerings that will provide vendors a path to EHR product compliance with Breach Safe Harbor... First, effective December 1, InfoGard will offer a Gap Analysis that evaluates EHR privacy and security controls against the HHS and NIST requirements for Breach Safe Harbor.  

Second, effective February 1, InfoGard will offer training for EHR vendors that addresses the design requirements necessary to comply with NIST cryptographic and IT security guidelines.  Together, these services will fill the current void and provide EHR vendors a path forward for providers.  EHR vendors with products conforming to these guidelines will be responding to healthcare providers' greatest need – the protection of private patient data from disclosure and attaining breach safe harbor.

InfoGard became the nation's first NIST accredited IT security lab in 1995. Since then, InfoGard has provided IT privacy and security evaluation and design training per NIST standards and guidelines to several industries. Compliance with the NIST data at rest guidelines will eliminate the risks of data breaches associated with stolen or inadvertently disclosed media. Compliance with the NIST data in motion standards will protect data movement within and between provider organizations and enable data transmission interoperability.

Increasingly, Health Information Technology that manages patient data must adhere to NIST security and privacy standards and guidelines for best practice. Anything less will not achieve the foundation of trust necessary to achieve the vision underlying the HITECH act. Until then, providers will continue to struggle with security and privacy challenges such as breach of patient health records.

Pricing for both products is quoted on a case-by-case basis. Please contact Doug Biggs at [email protected] or (805) 783-0810.  

About InfoGard Laboratories

InfoGard has been instrumental in developing a number of government and private sector test and certification programs, including NIST's Cryptographic Module Validation Program, programs for postage metering systems in five western countries, and two programs for the payment card industry. InfoGard is also an accredited Common Criteria laboratory. This experienced has provided InfoGard the ability to collaborate successfully with many different organizations in the development of IT testing and certification programs. InfoGard is independent, self-funded and employee owned. For further information, please visit