HHS' Office of Inspector General has published two reports that found security gaps abound as healthcare providers rush to implement electronic health records and qualify for meaningful use incentive payments.
In one report, the OIG concluded "CMS oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Health Insurance Portability and Accountability Act of 1996 Security Rule." The HIPAA Security Rule was passed to protect individual's electronic personal health information and requires covered entities to establish the appropriate safeguards to ensure the security of electronic health information.
The OIG made its conclusion and released its report following an audit of seven hospitals, which turned up 151 total vulnerabilities in the hospitals' systems and controls. Vulnerabilities ranged from unsecure access to electronic information, ineffective encryption and lack of authentication to enter a wireless network. In its report, the OIG recommended the Office for Civil Rights continue the compliance review process CMS began in 2009 and implement measures to ensure controls are in place at covered entities.
The OIG also released a second report, in which it concluded the Office of the National Coordinator for Health IT did not provide any standards that included general information IT security controls, which are the structure, policies and procedures that apply to an entity's overall computer operations in order to create a secure environment for systems and controls.
In this report, the OIG made several recommendations to the ONC, including using its leadership role to provide the health industry with established general IT security standards and IT industry security best practices.
Related Articles on EHRs:
Complimentary Webinar: EHR in the ASC: Meaningful Use and What it Means for Your Center
CMS Pledges Hospital Quality Reporting Through EHRs
North Carolina's Wake Endoscopy Center Selects ProVation MD Software
In one report, the OIG concluded "CMS oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Health Insurance Portability and Accountability Act of 1996 Security Rule." The HIPAA Security Rule was passed to protect individual's electronic personal health information and requires covered entities to establish the appropriate safeguards to ensure the security of electronic health information.
The OIG made its conclusion and released its report following an audit of seven hospitals, which turned up 151 total vulnerabilities in the hospitals' systems and controls. Vulnerabilities ranged from unsecure access to electronic information, ineffective encryption and lack of authentication to enter a wireless network. In its report, the OIG recommended the Office for Civil Rights continue the compliance review process CMS began in 2009 and implement measures to ensure controls are in place at covered entities.
The OIG also released a second report, in which it concluded the Office of the National Coordinator for Health IT did not provide any standards that included general information IT security controls, which are the structure, policies and procedures that apply to an entity's overall computer operations in order to create a secure environment for systems and controls.
In this report, the OIG made several recommendations to the ONC, including using its leadership role to provide the health industry with established general IT security standards and IT industry security best practices.
Related Articles on EHRs:
Complimentary Webinar: EHR in the ASC: Meaningful Use and What it Means for Your Center
CMS Pledges Hospital Quality Reporting Through EHRs
North Carolina's Wake Endoscopy Center Selects ProVation MD Software