National Coordinator Fumbles Health IT Security

Health IT systems might be vulnerable to security breaches because a key federal office has not set security standards for users' overall IT systems, warns the inspector general for the U.S. Department of Health and Human Services.

HHS's Office of the National Coordinator for Health IT (ONC) has established application security controls in its standards for interoperability, or the sharing of medical data by different electronic health record systems. But those controls did not extend to the IT systems hosting electronic health records, according to the audit.

"We found a lack of general IT security controls during prior audits at Medicare contractors, state Medicaid agencies, and hospitals," the inspector general said in its May 16 audit report. "Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for [health IT] if general IT security controls are not addressed."

ONC failed to address controls such as encrypting data stored on mobile devices, requiring two-factor authentication when remotely accessing a health IT system, and patching computer operating systems that process and store electronic health records, according to the executive summary.

The IG's office recommended that ONC:

• Broaden its focus from interoperability specifications to include "well-developed general IT security controls for supporting systems, networks and infrastructures."
• Help health-care providers understand established general IT security standards and best practices and the importance of general IT security.
• Coordinate its efforts with the Centers for Medicare and Medicaid Services and HHS's Office for Civil Rights.