OIG: Certified EHRs aren't so secure

'ONC's baseline does not address certain specific security concerns and industry best practices'
By Erin McCann
03:14 PM

It turns out, ONC's electronic health record certification process has some serious shortcomings – chief among them security practices that are wholly insufficient to adequately protect patient health information, according to a new report from the Office of Inspector General.

The report sheds light on the EHR certification procedure in its current form, which involves oversight from the Office of the National Coordinator for Health IT, and includes the National Institute of Standards and Technology, or NIST, the group responsible for developing these standards for testing and certification bodies to use.

When providers purchase certified EHRs (as of June more than 408,000 healthcare providers have received meaningful use incentive payments after purchasing a certified EHR, with CMS paying out a whopping $24.1 billion in incentives), they presumably expect these multi-million-dollar systems to meet federal security standards. 

One can't be too sure, however. Upon a closer examination of ONC's oversight process, OIG officials found the agency failed to ensure that testing and certification bodies developed procedures that "periodically evaluated whether certified EHRs continued to meet federal standards," according to Daniel R. Levinson, U.S. inspector general.

Because ONC did not enforce this, three out of the six certification bodies fell short in this arena, which caused problems down the line.   

"For example, after its initial certification, an EHR could be modified to conduct fraudulent activities, such as classifying a medical procedure as more expensive than it actually was," wrote Levinson, referring to a process known as upcoding. 

The NIST test procedures, he continued, also failed to address serious issues with password complexity. For instance, the current NIST test procedures allowed authorization bodies to certify an EHR even if it had single-character password sign on.  

What's more, after OIG reviewed security requirements and staff training at five out of six certification bodies, they found these entities were not required to have any training program in place that ensured staff were knowledgeable enough to both testy and certify these EHR and to secure patient data. Only a single entity actually trained their EHR testers in NIST IT security.

Resultantly, when holding meetings in rented office spaces, one entity used WEP to encrypt its wireless network. And, according to NIST standards, WEP is not an adequately secure encryption method. For more than a decade, industries have known this. Back in 2005, Federal Bureau of Investigation agents at the annual Information Systems Security Association meeting, for instance, using public tools were able to break a 128 bit WEP in three minutes. WEP was also at the core of one of the biggest security breaches to date -- the 2008 TJX breach when hackers stole the financial data of some 94 million people.  

For their part, ONC officials pointed out to OIG that authorized testing and certification bodies are no longer involved in the ONC Certification Program. Rather, separate ONC entities are responsible. Moreover, they put forth that in the new 2014 Edition EHR Certification Criteria, they "strengthened test procedures for common security and privacy features for inclusion in EHRs." 

OIG officials strongly disagreed, however.

"ONC's baseline does not address certain specific security concerns and industry best practices," Levinson wrote.