The HHS Office of Inspector General (OIG) recently issued a report regarding the Office of the National Coordinator for Health Information Technology’s (ONC) oversight of electronic health record (EHR) testing and certification, “The Office of the National Coordinator for Health Information Technology’s Oversight of the Testing and Certification of Electronic Health Records.”

ONC was statutorily established by the Health Information Technology for Economic and Clinical Health (HITECH) Act and is the principal Federal entity responsible for coordinating the effort to implement a nationwide health information technology infrastructure.  The HITECH Act established several programs to promote the use of electronic health records (EHRs) and other health information technologies.  The Act authorizes incentive payments to certain Medicare and/or Medicaid providers (eligible professionals, eligible hospitals, and critical access hospitals) who make meaningful use of certified EHRs.  The measures and objectives for meaningful use require such providers to take certain steps to protect electronic protected health information (PHI) created or maintained through the providers’ EHRs.  As of December 2013, the Centers for Medicare & Medicaid Services had paid more than $19 billion in incentive payments to more than 340,000 providers who have attested to meeting the meaningful use standards.

To receive incentive payments, providers must use EHRs that have been certified by an authorized testing and certification body (ATCB) (temporary certification program) – or by an authorized certification body (ACB) which certifies EHRs based on the results of testing by a National Voluntary Laboratory Accreditation Program (NVLAP)-accredited testing laboratory (permanent certification program) – in accordance with certain standards and criteria established by ONC, including information security standards.  Under ONC’s temporary certification program, ONC’s Principles of Proper Conduct required an ATCB to (1) operate a certification program in accordance with International Organization for Standardization and International Electromechanical Commission (ISO/IEC) requirements for operating product certification systems, (2) operate a testing program in accordance with certain ISO/IEC requirements for the competence of testing and calibration laboratories, and (3) use test procedures approved by ONC.  To be certified, the EHR must meet the regulatory certification standards and criteria established by ONC.  These standards and criteria include security standards relating to access control, emergency access, automatic log-off, audit log, integrity, authentication, and general encryption.  NIST developed procedures for testing the EHRs which were adopted by ONC.

The objectives of the OIG’s review were to assess whether (1) ONC’s oversight of ATCBs ensured that electronic patient information was secure and protected; (2) the ATCBs’ standards and procedures for testing and certifying EHRs met National Institute of Standards and Technology (NIST) test procedure requirements; and (3) NIST test procedures were sufficient to secure and protect electronic patient information.  The OIG noted that certification of EHRs with inadequate security may increase the risk that unauthorized individuals may gain access to patient health information or submit improper claims.

The OIG found that ONC’s oversight of ATCBs did not fully ensure that electronic patient information in EHRs were secure and protected.  First, ONC failed to ensure that ATCBs periodically evaluated whether certified EHRs continued to meet Federal standards.  While applicable ISO/IEC standards require such periodic evaluation and ONC is developing procedures for such evaluations, ONC did not enforce the requirement for ATCBs in the temporary certification program.  Without periodic evaluations, the OIG noted that ONC could not confirm an EHR’s continuing compliance with Federal standards.

Second, the OIG determined that ONC failed to ensure ATCBs sufficiently trained their personnel regarding EHR test procedures and security of records.  The OIG noted that ATCBs should have developed training programs consistent with ISO/IEC requirements.  ISO/IEC training programs would have ensured that ATCB personnel were competent to test and certify EHR in information technology (IT) security topics related to the NIST testing procedures.  The OIG found that ONC did not require such training programs, but instead required ATCBs to pass ANSI and NVLAP audits which require IT security training for testers.  However, such audits did not require EHR testers to be trained in IT security topics related to NIST test procedures.  The OIG concluded that, as a result, ONC failed to ensure ATCB personnel were competent to test and certify EHRs.  The OIG also concluded that ONC failed to ensure that ATCBs trained personnel to secure proprietary or sensitive EHR information during testing.

Third, while ATCBs complied with the required NIST testing procedures, the OIG found that those NIST requirements, adopted by ONC, need strengthening.  The required NIST’s procedures did not ensure certified EHRs would secure patient information.  The test procedures failed to address common security issues, such as password complexity, logging emergency access, and user privilege changes.  Without addressing these common issues, ATCBs could continue to certify EHRs with vulnerabilities that could pose a significant risk to patient health information security.

The OIG recommended that ONC require ATCBs to (1) develop procedures to periodically evaluate whether certified EHRs continue to meet Federal standards; and (2) develop a training program to ensure that their personnel are competent to test and certify EHRs and to secure proprietary or sensitive EHR information.  The OIG also recommended that ONC and NIST strengthen EHR testing procedures to ensure that ATCBs certify EHRs that address common security and privacy issues.   

In comments on the draft OIG report, ONC noted that ATCBs are no longer testing and certifying EHRs, and that the current certification program uses ACBs and accredited testing laboratories.  ACBs are required to conduct surveillance and be accredited by ANSI.  In addition, ONC noted that EHRs are now accredited to 2014 Edition EHR Certification Criteria, which strengthened test procedures for common privacy and security features included in EHRs.  The OIG found that the 2014 certification criteria are not sufficient to address OIG’s security concerns, such as password length and complexity or logging emergency access or user privilege changes.  In addition, the OIG noted that ONC’s security baseline does not address industry best practices, such as multifactor authentication.  Further, the OIG commented that ONC’s certification program does not permit ONC to remove a certified EHR from the Certified Health IT Product List, even temporarily, if an EHR is exploited and used to conduct malicious activities, to prevent further purchases of it.