OIG Audit Reveals Omissions In ONC Health Care IT Standards
The U.S. Office of the National Coordinator (ONC) has made a critical omission en route to achieving Meaningful Use adoption of electronic health records (EHRs), reveals a U.S. Department of Health and Human Services (HHS) security audit conducted by the U.S. Office of Inspector General (OIG). The internal audit, the results of which were published on May 16, found that while ONC had incorporated application IT security controls in its interoperability specifications, its health care IT standards did not include any general security controls for certified EHR products and software. The American Recovery and Reinvestment Act (ARRA) of 2009 mandates that ONC be a security champion and, as such, assume responsibility for keeping the national health IT strategic plan updated to guarantee its integrity and protect against intrusion. However, according to the audit, ONC had neither addressed fundamental security requirements nor undertaken its own audit to determine whether gaps existed in its security criteria, even though it had the authority to do so. The audit involved an assessment of ONC's process for creating and adopting interoperability specifications issued in April of 2009. OIG auditors also evaluated both the January 2010 Interim Final Rule and the July 2010 Final Rule, which laid out certification requirements for equipment, software, and systems needed to receive Meaningful Use EHR adoption financial incentives. The OIG defines general IT security controls as “the structure, policies, and procedures that apply to an entity's overall computer operations, that ensure the proper operation of information systems, and that create a secure environment for application systems and controls.” In the report, OIG auditors specifically cite several examples, none of which were included in any ONC criteria. Such examples encompass encryption of data on portable media (e.g., medical and DICOM CDs and DVDs and flash drives), as well as on any type of mobile media (e.g., smartphones and electronic tablets). Among other examples are two-factor authentication when remotely accessing a healthcare IT system and software upgrades, patches, or other security enhancements to keep certified products and IT systems protected from computer viruses, malware, or other forms of attack on a healthcare IT component or system. Two-factor authentication typically requires use of a physical token, such as an access card, as well as a password linked to an individual. "Lack of any of these or other IT security controls can expose healthcare IT systems to a host of problems," the OIG auditors observe. OIG had also conducted an audit of eight unnamed hospitals to evaluate the effectiveness of the HIPAA security rule. On May 16, it issued a report in which it sharply criticized the Office for Civil Rights for lack of rigor in enforcing its security provisions. Security weaknesses identified at the hospitals included unprotected wireless networks, inadequate system patching, outdated or missing antivirus software, lack of system event logging or review, unencrypted portable media, shared user accounts, and excessive user access and administrative rights. In light of these findings, the auditors declined to accept the ONC’s explanation that it had deferred to the HIPAA security rule for addressing fundamental IT security for healthcare IT. "Our HIPAA reviews identified vulnerabilities in the HHS oversight function and the general IT security controls," the report’s authors write. "Those vulnerabilities in hospitals, Medicare contractors, and stage agencies, combined with our findings in this audit, raise concern about the effectiveness of IT security for healthcare IT if general security controls are not addressed by the ONC." OIG asserts that it made the several recommendations to ONC, which the latter had accepted by the time the audit report was published: These recommendations included developing specifications and requirements for general IT security controls for supporting systems, networks, and infrastructures and providing guidance to the health care industry on established general IT security standards and IT industry security best practices. OIG also counseled ONC to emphasize the importance of general IT security to the medical community and to coordinate work with the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights to add general IT security controls where applicable.