The future of Electronic Health Records (EHR) security will be impacted by the findings from several studies conducted over the past year. From what I can tell, the results of these studies bring with them both good news and bad news.
The good news is that the Health IT Policy Committee—a federal advisory committee that provides recommendations
on health IT policy issues and advises the Department of Health and Human Services (HHS)—voted in early September to accept recommendations from its Privacy and Security Tiger Team. The team recommended requiring multi-factor authentication in certain cases involving remote access to patient information. The authentication would have to meet the National Institute of Science and Technology (NIST) Level of Assurance 3 standards. According to NIST, the LOA-3 specification “is appropriate for transactions that need high confidence in the accuracy of the asserted identity.” LOA-3 specifies the use of multi-factor remote network authentication, with a minimum of two-factor authentication.
This decision will influence Stage 3 of the HITECH Act electronic health record incentive program that is slated to begin in 2015.
The bad news is that the Office of the National Coordinator (ONC) for Health Information Technology, a unit of HHS, has backed off on plans to draft regulations setting voluntary “rules of the road,” including privacy and security guidelines, for health information exchanges to help pave the way for the national exchange of information.
Farzad Mostashari, M.D., who heads ONC, explains in his blog why the office has shelved plans to launch a Nationwide Health Information Network Governance Rule based on feedback to a request for information about the proposed regulation.
Mostashari points out: “Our goal is to encourage the exchange activities that are gaining steam across the country and across the industry, and not to hobble them. As we are accelerating the implementation and expectations of standards-based exchange in [HITECH Act] Stage 2 Meaningful Use, this is the last thing we want.”
However, Mostashari also warns that if the industry fails to continue making progress on secure health data exchange, ONC will again consider developing formal rules.
We can only hope that industry takes the advice of the HHS Privacy and Security Tiger Team and implements the NIST LOA-3 standards and the two-factor authentication for EHR transmission between trading partners.