Ensuring EHRs Are Secure: A New Approach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/ensuring-ehrs-are-secure-new-approach-p-2040

If federal regulators pull the plug on the HITECH Act's "meaningful use"
incentive program for electronic health records, they must devise bold new
ways to help ensure that data stored in EHR systems is secure.

A federal official announced on Jan. 11 plans to end the meaningful use
program and replace it with a new program focused, among other things, on
paying providers for generating better outcomes (see: If EHR Incentive
Program is Ending, What's Next?).

The meaningful use program requires providers to use EHR software that's
certified as meeting a long list of functionality. And one insider tells me
that some form of software certification will continue even if meaningful
use incentives end. What's not clear is exactly how a requirement to use
certified software would be enforced if HITECH dollars are no longer an
incentive for healthcare providers to implement those products.

Security Holes

Based on recent conversations I've had with some security leaders, it's
clear that many EHR vendors need to make security more of a priority.

A healthcare sector CISO, who asked not to be named, recently told me he
believes that some EHR software and clinical trial management systems
vendors come up short when it comes to security, with "holes big enough to
drive a truck through."

Few EHR vendors appear to do regular, comprehensive security audits or
scans on their software, he charges. Vulnerabilities and bugs often aren't
found or don't get addressed, especially by some of the smaller,
lesser-known vendors who often cater to smaller clinics and doctors by
offering less expensive solutions.

Some of the shoddy design of EHRs and related products are ticking
time-bombs, with vulnerabilities that could easily be taken advantage of by
cyber-attackers, he contends.

EHR Certification Continues

Security expert and federal adviser Dixie Baker tells me that regulators
will continue to focus attention on the security of EHR software and other
health IT products through the Office of the National Coordinator for
Health IT's software certification program even if the meaningful use
program ends.

ONC last October issued the final rule for the 2015 Edition Health
Information Technology Certification Criteria.

Baker, senior partner at consulting firm Martin, Blanck and Associates, and
longtime member of the HIT Standards Committee, which advises the ONC,
tells me CMS officials briefed members of the HIT Policy and Standards
Committees in October about the plan to transition away from the meaningful
use program. "The plan made sense," Baker says.

"It's time to move on aggressively toward outcomes-based reimbursement, and
their plan for a merit-based incentive payment system, MIPS, seemed
logical," she says. "That said, I'm sure that the switch will cause some
confusion within the provider community - as any change does."

But even as the meaningful use program transitions to something new, "the
[software] certification program will continue, with some important
changes," she says. For one, ONC in the recent final rule is expanding the
program beyond EHR technology to broader "health information technology"
certification, she says. "And most important for privacy and security, they
are changing the way that products are certified against the security
standards and criteria," she adds.

Software Modules

In the initial ONC software certification program, all products - complete
EHRs and EHR modules - submitted for certification were certified against
all of the security criteria, she says. "But the criteria really were not
equally applicable to all products, particularly for some of the more
specialized 'EHR modules,' so they changed the criteria so that products
that were submitted for certification as 'EHR modules' could choose whether
they would be certified against the security criteria," she explains.

To win HITECH incentive payments, providers needed to ensure that the set
of modules they purchased met the "base EHR definition," which included the
security criteria, she says. "But the only certification class that was
required to meet all the requirements in the 'base EHR definition' were
"complete EHRs,'" she says.

So, if a provider chose to purchase and integrate a set of certified "EHR
modules," the healthcare provider would be responsible for demonstrating
that the integrated set met the "base EHR definition," she says. However,
that meant it was possible that none of the modules could meet the security
criteria, she says.

"The HITSC Privacy and Security Working Group argued against this approach,
but ultimately realized that, in fact, some EHR modules may not need to
address all of the criteria," she says. For instance, depending on the
function of the software, not all modules might need to feature automatic
access time-out or require end-user device encryption.

"So we proposed an approach whereby the healthcare functions for which an
EHR module was submitted for certification would determine whether that
module needed to be certified against this security criteria," she says.
"We were very pleased to see that this approach was adopted in the final
rule released last October."

EHR Vendors: A Call to Action

While the health IT products submitted for certification must specific
security and privacy criteria, some CISOs insist that EHR vendors still
have a long, long way to go when it comes to protecting patient data.

That's why it's so important that as the software certification program
evolves, federal regulators devise innovative ways to ensure the security
functions of EHRs continue to improve - and that providers take full
advantage of those features.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.