Hospital systems are on notice for ransomware attacking their health IT systems after three hospital systems are reported to be victims of computer viruses.   In response, one hospital system paid almost $17,000 in Bitcoin to retrieve their EHR, while the other two hospital systems worked off paper records and backup systems for a few days while their main IT systems were taken down to flush out the virus.  Coincidentally, the Department of Health and Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) recently proposed a new rule designed to enhance the safety and security for health IT users.  While certified health IT does not necessarily protect against the newest computer viruses, HHS’ proposed rulemaking may ensure that health IT products continue to meet the needs of the health care system.
What is Certified Health IT?
Health IT is technology, like software, that stores, shares, and analyzes health information.  It is used by patients and doctors to communicate and share information about the patients’ health.  Health IT takes many forms, one of which is an electronic health record (EHR), or the patient’s electronic medical record.  E-prescriptions, in which the doctor communicates directly with the pharmacy to fill a patient’s prescription, is another form of health IT.
Certified health IT is health IT that is tested and reviewed by accredited certification and testing bodies against specific IT security standards.  Some of the goals of certification are to ensure that the patient’s EHR remains secure and protected, improving health care quality by reducing medical errors, and reducing health care costs resulting from incomplete information.
Proposed Rule
The proposed rule makes changes to ONC’s current certification program and its oversight over the third party bodies that currently perform the certification and testing.  The proposed rule focuses on three key areas:

  • ONC Direct Review of Certified Health IT: The proposed rule allows ONC to directly review certified health IT for which it has evidence that the certified health IT may not conform to the certification requirements. ONC could require corrective actions for these nonconformities from a health IT manufacturer.
  • Enhanced Oversight of ONC-Authorized Testing Laboratories: The proposed rule gives ONC direct oversight over the accredited testing labs by requiring the labs apply for ONC authorization.
  • Surveillance Transparency and Accountability: Certified health IT surveillance results would be publicly accessible to provide customers and users with performance information, including continued compliance. The certification and testing bodies would make such information available on their websites on a quarterly basis.

Comments are accepted until May 2, 2016.  Interested parties can comment electronically on, or send their written comments to HHS ONC at the Mary E. Switzer Building, Mail Stop: 7033A, 330 C St. NW, Washington, DC 20201.  When commenting, make sure to reference RIN 0955-AA00 when sending written comments.