Epic is going to take a very similar strategy and timeline to their entry into the ERP market as they…
Morning Headlines 8/5/14
An OIG investigation finds that the ONC’s EHR testing and certification standards do not test EHR security features enough to adequately ensure that patient information is protected.
State will replace CGI, health exchange vendor
Vermont is the next to join a growing list of states that have fired CGI as their primary health insurance exchange firm. Starting in September, development responsibilities will be handed over to Optum as part of a $5.7 million deal.
Actionable Recommendations in the Bright Futures Child Health Supervision Guidelines
A new study published in Applied Clinical Informatics finds that only 20 percent of the preventative health care guidelines followed by US pediatricians are defined in a way that would allow them to be integrated into EHR clinical decision support tools.
DeSalvo says providers, hospitals on track for EHR Stage 2
With just 10 eligible hospitals attesting for Stage 2 MU thus far, national coordinator Karen DeSalvo, MD, reports “We know from past experience with meaningful-use Stage 1, for example, that people wait to attest until the eleventh hour,” adding “It seems on track with where we expect it to be, and we’re watching it closely.”
What me worry? The OIG findings should come as no surprise. Security in EHR has gotten short shrift from govy and vendors alike. This has been known for years, and has been on Deb Peel’s agenda.
The soporific NIST SP 800-60 volume 2, in appendix D.14, clearly(?) defines the health care security considerations for federal systems. Among other things, the highest consideration is for data availability and integrity, with medium importance for confidentiality. Why? If data is unavailable or corrupted, it could harm patients. Loss of confidentiality is a lesser harm. This is too-often ignored. I wonder if the OIG’s testing treats EHR data availability and integrity accordingly. My bet is that they do not.
To have really safe patient data we would need to find a replacement for the zero security of HL7. No encryption at all. Can anybody see that happening? Too many people too invested.
Until then you can implement dual factor auth, audit trails and any other security feature you want… but a 16 year old can use off the shelf free software to sniff most patient data.
Security is just a talking point. The legacy architecture just doesn’t support it.
Lol security, indeed. HL7 is a format, security is orthogonal to format.
Security can be, and in many paces is very much present – encryption on the wire can be achieved via VPN connections between the end points, or via SSL connections. Encryption at rest can be achieved via database encryption or disk encryption.
With only ten hospitals attesting to EHR Stage 2 with only two months left in the fiscal year, I think it’s time to be concerned.