National Center for Health Research, October 11th 2018
National Center for Health Research’s Comment’s on
Request for Information Regarding the 21st Century Cures Act Electronic
Health Record Reporting Program
[HHS-ONC-2018-0022]
Thank you for the opportunity to provide our views on how to best implement the Electronic Health Record Reporting Program established as part of the 21st Century Cures Act. The RFI seeks guidance on how to prioritize EHR reporting criteria, as well as identify sources of health IT data and information that would help effectively compare different health IT products.
The National Center for Health Research is a nonprofit think tank that conducts, analyzes, and scrutinizes research, policies, and programs on a range of issues related to health and safety. We do not accept funding from companies that make products that are the subject of our work.
Cybersecurity remains a critical yet under measured issue for EHRs and should therefore be a key focus of EHR reporting: One important concern is the growing susceptibility of EHRs and health IT to hacking and other cybersecurity issues like ransomware. Of the categories listed for EHR reporting (security, interoperability, usability and user-centered design, conformance to certification testing, other categories), “security” of health IT presents the most serious risk and growing threat to the future safety of patients.
A published study of the National Center for Health Research based on an FDA database found that software flaws in health IT are not rare.1 Furthermore, our preliminary analysis of ONC’s CHPL dataset suggested vendor adherence to EHR privacy/security standards varied greatly, with cybersecurity standards being certified for EHRs roughly 51.4±24.1% (median 49.3, IQR 44.1-61.6) of the time.2 Finally, current health IT products are increasingly susceptible to hacking and ransomware, evidenced by a recently published study showing EHR-related security incidents have affected millions of patient records over the past 5 years.3
A data-driven approach is needed for reporting health IT vulnerabilities to hacking and cybersecurity risks to the larger health technology ecosystem. We recommend expanding several datasets with structured data for EHR reporting:
- HHS Office of Civil Rights PHI breach database: As part of HITECH Act-related revisions to HIPAA, the HHS Office of Civil Rights makes a dataset publicly available describing all breaches of protected health information affecting more than 500 patients.4 While the current dataset focuses on the covered entities affected, we strongly recommend expanding the list of structured data to include details regarding health IT products and vendors impacted by each PHI breach.
- ONC Certified Health IT Product List (CHPL) database: While ONC already makes EHR data available via the CHPL dataset, detailed data regarding cybersecurity standards would stimulate the development of tools to assess cybersecurity risks in different health IT products. We recommend adding structured data fields that clearly identify which certification criteria involve privacy and security, as well as which products meet those standards.
- FDA medical device/technology databases: The FDA maintains several databases of medical devices and technologies, including products that were removed from the market (recalled) due to serious risks to patient safety. While the 21st Century Cures Act (Section 3060) removes EHRs from FDA regulatory authority, cybersecurity attacks make no distinction between these products and other medical devices. We strongly recommend adding and populating structured fields in FDA databases whenever cybersecurity vulnerabilities are discovered in recalled medical devices that could impact health IT (or vice versa).
For questions or more information, please contact Dr. Stephanie Fox-Rawlings, PhD at sfr@center4research.org or at (202) 223-4000.
References
1. Ronquillo JG, Zuckerman DM. Software-Related Recalls of Health Information Technology and Other Medical Devices: Implications for FDA Regulation of Digital Health. Milbank Q 2017;95:535–53. https://www.ncbi.nlm.nih.gov/pubmed/28895231
2. Ronquillo JG, Zuckerman DM. Impact of Current Health IT Standards and Policies on Cybersecurity and Precision Medicine. American Medical Informatics Association (AMIA) 2018 Clinical Informatics Conference. 2018. https://cic2018.zerista.com/event/member/474710
3. Ronquillo JG, Winterholler JE, Cwikla K, et al. Health IT, hacking, and cybersecurity : national trends in data breaches of protected health information. JAMIA Open 2018;1:15–9. https://academic.oup.com/jamiaopen/article/1/1/15/5035928
4. U.S. Department of Health and Human Services Office for Civil Rights. Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. 2017. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf