"Significant Concerns" About Security Gaps in EHRs

Published on: 

A new report out of the U.S. Department of Health and Human Services revealed "significant concerns" about security gaps in the electronic health records system, citing breaches that resulted in losses, injury or death.

Even as the first Medicare electronic health records (EHR) incentive program checks were issued this week, a new report out of the U.S. Department of Health and Human Services was released revealing "significant concerns" about security gaps in the system.

Following its investigation, the Office of the Inspector General warned that it found “a lack of general [information technology] security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals."

The Inspector General audited computer security at seven hospitals in seven states, and found 151 major vulnerabilities, including unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage, according to a report on PBS NewsHour. The report called 124 of the breaches "high impact," resulting in losses, injury or death.

The hospitals audited were located in California, Georgia, Illinois, Massachusetts, Missouri, New York and Texas, according to PBS NewsHour.

Closing these security gaps is the responsibility of the ONC, which sets the IT standards, as well as the Office for Civil Rights, which guards the privacy and safety of electronic medical records, according to the report.

As a result, the Inspector General’s recommended that the ONC:


• Broaden its focus from interoperability to include well-developed, general IT security controls for supporting systems, networks, and infrastructures;

• Use its leadership role to provide guidance to the healthcare industry general IT security standards and best practices;

• Emphasize to the medical community the importance of IT security; and

• Coordinate with the Centers for Medicare & Medicaid Services and the Department's Office for Civil Rights to add general IT security controls where applicable.