Health and Human Services Raises Bar for Risk Analysis with latest HITECH Rules

Organizations will need to match features to security mitigations in qualifying electronic health records systems.

New guidelines from the U.S. Government's department of Health and Human Services (HHS) will require healthcare providers who want to qualify for big federal subsidies for the adoption of electronic health record (EHR) technology to prove they are addressing the security risks posed by EHR platforms, according to a published report.

In a statement on Tuesday, the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) said that health providers will need to conduct more detailed risk analysis of their EHR systems to comply with the final rule for Stage 3 of HHS's meaningful use standard. That may include encrypting health data stored and transmitted by EHR systems, or adopting new "technical, administrative and physical safeguards" needed to lock down protected health information - or PHI. That, according to a report on the web site

Proving "meaningful use" of electronic health record technology is a prerequisite for qualifying for generous federal subsidies for adopting the technology. EHR adoption is a lynchpin in the federal government's efforts to move doctors' offices, hospitals and other healthcare providers away from inefficient, paper-based record keeping.

Risk analysis was a requirement to qualify for Stages 1 and 2 of the meaningful use program, as well. But the Stage 3 requirements take things a step further: asking healthcare providers to dig deep into their EHR systems and identify weaknesses and potential risks, then apply technology fixes that address those risks.

Each certification capability for an EHR system should be "paired with the appropriate privacy and security safeguard," ONC said in a statement to For example: features that allow PHI to be transferred between electronic health record systems should be paired with related security features such as authentication, access control and data encryption or hashing that protects the transferred data, reported.

That's critical. As this blog has reported, the combination of a federal push to use electronic health records systems, insecure cloud-based systems and motivated cyber criminals has created a "perfect storm" for healthcare providers and consumers. Most recently, data maintained by the firm Systema Software of Larkspur, California, which provides claims administration software and services to the insurance industry, was found publicly available on a subdomain on AWS that was associated with Systema. And, in July, a breach at the Indiana firm Medical Informatics Engineering (MIE) exposed PHI on some four million patients at more than 230 medical facilities that relied on MIE products, including the NoMoreClipBoard EHR system.

The so-called "Final Rule" guidance from HHS is intended to streamline requirements for providers and to give them a bit more time to comply with the Stage 3 provisions. Organizations seeking to qualify for meaningful use subsidies will have 60 days to comment on the Stage 3 guidelines and will have until 2018 to comply with the requirements.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.

Paul Roberts

Please post your comments here

451 Research: The DLP Market by the Numbers

Get the 451 take on the resurgence of the DLP market, with projections for market growth over the next five years and the top security challenges for 2016.

Download the report

Related Articles
It’s 10 O’Clock, Do You Know Where Your Data is? If Not, the Digital Guardian Visibility Study is Here to Help

Knowing if your company’s customer information, employee and financial data, intellectual property, and trade secrets are at risk or well-secured is critical for your own protection.

Startups & Data Breaches: How a Startup Can Protect Itself From a Data Breach in 2014 & Beyond

27 Data Security Experts Share The #1 Most Cost Effective Way a Startup Can Protect Itself From a Data Breach

5 Tips for Protecting Sensitive Data at the Law Firm

Recent highly publicized cyber attacks at large law firms such as Mossack Fonseca, Cravath, and Weil Gotschal have made apparent the widespread shortcomings in security safeguards in the legal industry. Here are 5 tips on how law firms can address these concerns and protect sensitive data.