Many hospitals and physicians are not meeting general password strength criteria set forth by The Office of Inspector General of the Department of Health and Human Services.
The Office of Inspector General of the Department of Health and Human Services (OIG HHS) recently found weaknesses in the current EHR certification criteria, leaving systems susceptible to hackers. Because hospitals and physicians rely on these criteria to ensure that their system is secure and patient data isn’t compromised, this is a significant issue.
Passwords serve as an authentication barrier. Though they may not prevent hackers from breaching the system, they can certainly keep them at bay temporarily. It’s critical that users select more difficult and complex passwords for their systems. Using common phrases, short words, or personal information for simplicity and memory’s sake won’t suffice. According to HealthIT.gov, passwords should include at least eight characters and consist of a combination of upper and lower case letters, numbers, and special characters.
ONC is responsible for determining which criteria must be evaluated for certification. Authorized Testing and Certified Bodies (ATCBs) are approved by the ONC to certify EHRs in the following seven areas of information technology:
- Access control
- Emergency access
- Automatic logoff
- Audit log
- General encryption
The ONC has stated that the new 2014 criteria are stronger, but the OIG is still not satisfied. Statistics on the HHS website show that the medical records of 32 million Americans have been breached since 2009 and the majority is due to weak passwords and security problems. More and more hackings have been occurring on a large-scale recently. Medical records, in particular, are a target because of the amount of information a hacker can aggregate from them.
According to the National Center for Health Statistics (NCHS), 78.4% of office-based physicians were using an EHR system in 2013, which his an all-time high. This adoption rate can likely be attributed to the financial incentives offered by Medicare for those providers who attest to the stages of meaningful use with their certified EHR systems (and penalties for those who do not). The system is also helpful in understanding the ICD-10 classification codes, which could be complicated for providers to use on their own.
Overall, it seems that government guidance is critical to the protection of healthcare information technology. The OIG holds that the ONC needs to take great steps to improve its certification process, or the hacking trend may only continue.