Aug 08 : OIG Finds Privacy and Security Risks with ONC EHR Certification Process

WHAT WE FOUND

ONC’s oversight of the ATCBs did not fully ensure that test procedures and standards could adequately secure and protect electronic patient information contained in EHRs. Specifically, ONC did not ensure that the ATCBs:

• developed procedures to periodically evaluate whether certified EHRs continued to meet Federal standards and
• developed a training program to ensure that their personnel were competent to test and certify EHRs and to secure proprietary or sensitive EHR information.

The ATCBs’ standards and procedures for testing and certifying EHRs met all NIST test procedure requirements that ONC approved. However, those NIST test procedures were not sufficient to ensure that EHRs would adequately secure and protect patient health information; in particular, the procedures allowed ATCBs to certify EHRs that demonstrated the use of a single-character password during testing. In addition, the NIST test procedures did not address common security issues, such as, but not limited to, password complexity and/or logging emergency access or user privilege changes.

WHAT WE RECOMMEND

To ensure that each patient’s health information in EHRs is secure and protected, we recommend that ONC require the ATCBs to:

• develop procedures to periodically evaluate whether certified EHRs continue to meet Federal standards and
• develop a training program to ensure that their personnel are competent to test and certify EHRs and to secure proprietary or sensitive EHR information.

We also recommend that ONC work with NIST to strengthen EHR test procedure requirements so that ATCBs can ensure during testing that EHR vendors incorporate a baseline set of security and privacy features into the development of EHRs to address common security issues.