- A recent Office of the Inspector General (OIG) report titled “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology” gave some insight into EHR technology audit and access control capabilities and how healthcare providers are taking advantage of these functions.
The annual cost of healthcare fraud is between $75 billion and $250 billion, according to 2009 CMS estimates, and OIG administered an online questionnaire to 864 hospitals between October 2012 and January 2013 to learn about the Certified EHR Technology hospitals are using. OIG found that nearly all hospitals with EHR technology had contractor RTI International (RTI)-recommended audit functions in place, but they may not be maximizing their potential. And hospitals were found to use a variety of RTI-recommended user authorization and access controls, with most using RTI-recommended data transfer safeguards. OIG also found that a copy-paste feature in EHR technology that, if used improperly, could turn into a fraud vulnerability, and only one quarter of hospitals had policies to prevent this technology.
Audit logs: Privacy or fraud tool?
96 percent of hospitals reported that their audit logs remain operational at all times despite reporting barriers, including limited human resources, a lack of vendor-provided audit log user guides, and inadequate training on audit log functionality. OIG explained that because audit logs monitor user activity, they’re an important tool against EHR fraud. In fact, one-third of RTI’s recommended safeguards concern audit log operation and content. About 44 percent of hospitals delete their audit logs, which is against RTI advice for them to be available for fraud detection. Most hospital use their audit logs for privacy and not fraud monitoring purposes.
Exploring small and non-healthcare organizations’ HIPAA needs Reminders for HIPAA Compliance with Business Associates Jersey City Medical Center reports Medicaid patient breach Memphis Regional Medical Center reports health data breach HHS requests comment on HIPAA’s role in mental health reports Healthcare CISO education program focuses on risk management Health Data Breaches Accounted for 37% of all 2014 Incidents What Are Critical Considerations in Risk Management? NIST Vulnerable Software Guide May Affect Health Data Security Healthcare privacy, security 2014 predictions: Future trends Multi-factor authentication options for healthcare IT managers Does Healthcare Security Interfere with Clinical Workflow? Why Medical Device Security is a Key 2016 Healthcare Issue PPN offers 6 tips to overcome PHI security obstacles Mass. Hospital Hit With $200K OCR HIPAA Settlement Molina Healthcare contractor mail error exposes patient data DirectTrust Sees 15% PHI Sharing Increase for Q2 2017 Rady Children’s Hospital boosts data security training Data breaches of EHRs underscore need to upgrade systems and adapt to changing times Key Reminders For Your HIPAA Security Risk Assessment Malware Most Common Smart Hospital Data Security Threat NIST allocates $7 million to new NSTIC pilots NIST Resource to Help Create Strong Cybersecurity Workforce 95% of Healthcare Orgs Not Utilizing Risk Management Software PHI Incidents Increased 123% in November, Says VA Report Tennessee Hospice Investigated Over Potential HIPAA Violation Reminders for Securing Patient Data Through Meaningful Use Surescripts CEO Harry Totonis to step down in March Potential PHI Data Breach Follows Mich. Employee Email Hack CMS CISO: HealthCare.Gov security testing complete How Administrative Safeguards Can Prevent Data Breaches Secure Health Data Exchange Key Focus for AMA Investment Stakeholders Desire Clarification on Secure Data Exchange in TEFCA HIPAA concerns with text messaging in pediatric hospitals Breaking Down the Evolution of Healthcare Phishing Scams ACLU, DEA squabble over patient prescription privacy rights MA billing company reaches $140K health data breach settlement Healthcare Cybersecurity Can Improve in 2015, Says HITRUST MDLive Lawsuit Claims Patient Data Privacy Violations Business associates prepare for HIPAA omnibus compliance How Automation Aids Data Security, Improves Patient Satisfaction McAfee threat report cites mobile malware, social attacks Addressing FTC Jurisdiction Over HIPAA Covered Entities AAMI report: Cybersecurity questions for healthcare execs HITPC gets answers to Stage 3 Meaningful Use security questions Industry Applauds HHS Cybersecurity Task Force Report Identifying and mitigating healthcare IT security risks Airstrip Technologies adds Diversinet HIPAA-compliant SDK Physician: Efficiency factors into two-factor authentication OCR, WEDI analyze HIPAA rules for PHI sales, marketing NIST Guide Provides Strategies for Increased Email Security Are Cybersecurity Measures Improving After OPM Data Breach? Updated Google Policy May Affect Patient Data Security Business Associates Benefit From HITRUST Program Expansion Data Security, Privacy Key in EHNAC Designation with HITRUST Best Practices for Preventing Phishing Attacks, Data Breaches Healthcare Application Security Lagging, Says Study IT expert discusses healthcare security challenges, training More Patients Using Health IT, Value Online EHR Access Is the HIPAA Security Rule Doing Enough for Healthcare? NIST Cybersecurity, Data Privacy Report Open for Comments How Can Covered Entities Best Prepare for Ransomware Threats? Republicans use proposed breach notice bill to pressure HHS Why Collaboration is Key for FDA Medical Device Cybersecurity Large Data Breaches Top Worry for Health Pros, Survey Shows S.C. Comprehensive Psychological Services has 3,500-patient breach How a Texas Org. Improved its Medical Device Security Why Halifax Health Opted for a New Secure Texting Option Duke Health System notifies patients of data breach Why Healthcare Security Needs a New Approach to Malware Faxing Error Leads to Healthcare Data Breach, Lawsuit Cyberattacks Threaten Thousands of Patient Health Records PA Security Breach from Missing External Hard Drive Affects 4.1K FDA Finalizes Medical Device Cybersecurity Guidance CA Supreme Court Rejects Physician Patient Privacy Claim Patient Privacy Advocated for in AAPS Amicus Brief to SCOTUS Healthcare Cybersecurity Threats Require HHS Bill of Materials Hackers Access EHR Data in Potential Healthcare Data Breach Provisioning users with healthcare IAM dashboards Secure healthcare communication in a mobile environment Conn. Data Breach Security Bill Moves Forward Why wouldn’t a healthcare organization encrypt its data? HIPAA Regulations Create Communication Obstacle, Says Survey Patient Privacy Included in Recent Opioid Records Senate Bill Using IAM Solutions for Stronger Cybersecurity Measures Should healthcare be bracing for hacker identity theft plans? The False Promise of HIPAA for Healthcare Cybersecurity Effective and secure internal communication key for hospitals Encrypting healthcare data at rest: NIST best practices Health data encryption questions to ask your vendors Healthcare Security and Compliance Increases, Says DataMotion Protecting Your Healthcare Brand by Investing in Data Security Calif. Patient Privacy Case Reaches State Supreme Court Long Beach Memorial Medical Center announces data breach HIPAA omnibus and HITECH civil penalty changes Using, Exchanging Health Data Securely a Challenge, Says OIG OCR Reiterates HIPAA Guidance for Opioid Crisis Response HIPAA or patient ownership to safeguard health data? US-CERT Updates Cybersecurity Incident Notification Guidelines Survey Finds Cloud Security, IoT Security Potentially Lacking
EHR vendors confirmed that their hospitals use the audit log as a HIPAA compliance tool rather than a tool to detect fraud. One vendor reported that hospitals were generally not aware of all the audit log features available to them. For example, all four EHR vendors explained that they provide standard product implementation and training and that hospitals do not commonly ask for additional audit log training.
According to OIG, all responding hospitals reported that they authenticate EHR users via a unique user identification and password. Some hospitals had implemented stronger user authentication tools, such as tokens (21 percent of hospitals), public key infrastructure (14 percent), and biometrics (7 percent). 22 hospitals also reported implementing additional safeguards to ensure appropriate access to the EHRs.
Although the copy-paste feature in EHRs can enhance efficiency of data entry, it may also facilitate attempts to inflate, duplicate, or create fraudulent health care claims. RTI acknowledges the potential for misuse of the copy-paste feature in EHRs and suggests that specific warnings directed to EHR users be considered. Further, RTI recommends that the use of such tools be captured in the audit log. However, only 24 percent of hospitals had policies in place regarding use of copy-paste, and only 44 percent of hospital audit logs recorded the method of data entry (e.g., copy-paste, direct text entry, speech recognition) when data are entered into the EHR.
OIG recommends that audit logs be operational whenever EHR technology is available for updates or viewing and that ONC and CMS collaborate for create a comprehensive plan to address fraud vulnerabilities in EHRs. And it requested that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC agreed with all of its recommendations.
Although ONC contracted with RTI to develop a list of recommended safeguards for EHR technology, the Department did not directly address all of these safeguards through certification criteria or meaningful use requirements. This review found that, on their own initiative, hospitals were employing EHR fraud and abuse safeguards to varying degrees. However, the Department must do more to ensure that all hospitals’ EHRs contain safeguards and that hospitals use them to protect against electronically enabled health care fraud.