A new report from the Office of Inspector General expresses concern about emerging security standards for health IT as part of the 2009 HITECH act, noting several key areas where the standards don't go far enough to protect sensitive data.  According to the report, the Office of the National Coordinator for Health Information Technology still lacks health IT standards with general IT security controls, and needs to broaden its focus beyond enabling interoperability.

The report, released late last week, said the HITECH Act lacks specific controls around the following needs: "encrypting data sorted on compact discs and thumb drives, requiring two-factor authentication when remotely accessing an HIT system, and patching the OS systems of computer systems that process and store electronic health records."

The report ends with four recommendations for the Office of the National Coordinator:

  • That ONC "broaden its focus from interoperability specifications to include well-developed IT security controls."
  • "Use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices."
  • "Emphasize to the medical community the importance of general IT security."
  • "Coordinate its work with CMS and OCR to add general IT security controls when applicable."

It's a sobering read, particularly as hospitals and doctors race to comply with HITECH standards to qualify for meaningful use funding. That means that thousands of providers are building or upgrading their IT systems, sometimes without much previous experience with interoperability, but the standards they're using aren't focused strongly enough on security to protect against HIPAA breaches.

In addition, the report argues that not enough is being done to protect data on mobile devices—at a time when the use of those devices in the health care setting is exploding.  For instance, while encryption is required for shepherding data between systems, it isn't a standard for storing data on portable media.

To be sure, a lot of these issues are evolving in real-time, making it somewhat difficult for the regulators to keep up with the rapid changes to providers' IT systems and devices. But the report is pretty strident in suggesting that necessary standards around security are coming up short at a fairly critical moment for the health IT industry. Stay tuned.