OIG Urges Inclusion of General IT Security Controls in HIT Standards

By Inside Privacy on June 29, 2011

By Anna Kraus

As we reported previously, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) recently issued two reports that highlight continuing concerns over how best to ensure the privacy and security of electronic health information. Earlier this week, we provided more detail on the OIG’s report regarding CMS oversight of the HIPAA Security Rule.

On May 16, 2011 the OIG released a second report relating to federal data security standards, Audit of Information Technology Security Included in Health Information Technology Standards. In this report, the OIG expressed concern that federal health information technology (HIT) standards do not include general information technology (IT) security controls. Instead, HIT standards focus primarily on application controls which apply within an IT system and can be circumvented in the absence of strong general security controls. The audit recommended that that the Office of the National Coordinator for Health Information Technology (ONC) take the following steps:

Include general security controls in HIT standards;
Provide guidance to the health industry and the medical community regarding the value of general IT security as well as general IT security standards and best practices; and
Cooperate with the Centers for Medicare & Medicaid Services (CMS) and the HHS Office for Civil Rights (OCR) to require general IT security controls where appropriate.

Responsibility for health information privacy and security oversight within HHS is divided among ONC, CMS, and OCR. ONC created the Health Information Technology Standards Panel (HITSP) in 2005 to establish interoperability specifications for information sharing between entities. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act codified ONC and, among other things, required that it establish a nationwide HIT infrastructure as well as recommend standards, implementation specifications, and certification criteria to the Secretary of HHS by the end of 2009. These standards were published in a July 2010 Final Rule (Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology). Under the HITECH Act, providers can obtain “meaningful use” incentive payments by using electronic health records (EHRs) that met certification criteria published in the Final Rule.

The OIG audit pointed out that ONC HIT standards do not include general IT security controls such as those promoted by the Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST), including:

Encryption of information on mobile devices;
Two-factor authentication for remote IT system access (including a physical token separate from the device through which access is obtained); and
Timely patching of operating systems to address security issues such as viruses.

Although ONC’s interoperability specifications include application controls and require encryption for data transmission, there is no standard requiring encryption for data stored on mobile devices; nor are there other general IT security controls. Additionally, general IT security controls have not been addressed in the HITSP standards-setting process. Finally, general controls were not included in the ONC July 2010 Final Rule, which included only application controls.

After reviewing the draft report, ONC concurred that general IT security controls and education about such controls are important but did not appear to explicitly commit to including such controls in HIT standards. Specifically, ONC stated that:

The certification criteria for EHRs specified in the July 2010 Final Rule include requirements that EHR technology “support important general IT security control capabilities” such as the encryption of data in motion, access controls, and message integrity checking. The Rule also requires security risk analysis and correction of security deficiencies.
Security controls must be balanced with regulations that do not inhibit adoption of HIT. ONC expects to have, by 2015, a “well developed set of certification criteria that, coupled with practices initiated under the CMS meaningful use rule, will form a strong security framework. . . .”
ONC is “in the final stages” of drafting a comprehensive security strategic plan, a key element of which will be general IT security.
ONC will work with Federal Advisory Committees established pursuant to the HITECH Act to “explore the feasibility of adding general IT security controls, such as encryption of portable media and two-factor authentification, to the certification criteria.”
ONC has funded security capability assessment tools currently under development and, in fiscal year 2011, will be launching a Security/Cybersecurity communications campaign with OCR to disseminate best practice information.

Although ONC concurred with the OIG’s overall assessment of the importance of general IT security controls, incorporation of such controls into HIT standards does not appear imminent. Nevertheless, general IT security is clearly under scrutiny and will likely continue to be a priority for HHS going forward.