Healthcare Information Security

Cybersecurity News

ONC Must Clarify Roadmap Health Security Plan, Says EHRA

By Elizabeth Snell

- The health security plan and privacy measures outlined in the Office of the National Coordinator (ONC) Interoperability Roadmap need further clarification, according to comments by the HIMSS EHR Association (EHRA) in a letter addressed to National Coordinator Karen DeSalvo, MD, MPH, MSc.


While the ONC draft did a good job in identifying necessary interoperability principles and a “careful and pragmatic approach” to emerging standards and technologies, some extra clarification is still needed.

“We need clarity on the scope of the privacy and security protections intended,” the EHRA letter writers explained. “The reference to ‘learning health system’ and introducing RESTful application programming interface (API) services imply a significant increase in the scope of the interoperability model to include a very broad spectrum of healthcare information systems, including consumer devices.”

Moreover, the privacy and security protections should apply to all system components involved in the interoperability use case – not only to the EHRs. The EHRA explained that the Roadmap should also clarify that the scope includes non-EHR system components.

  • PHI Data Breaches, Fraud in Georgia and New York
  • Calif. AG releases breach notification letter from 1999 incident
  • HIPAA or patient ownership to safeguard health data?
  • Why Information Blocking Could Hinder PHI Security
  • Medicaid Data Breach, Security Issue at NC and CA Facilities
  • MassHIway set to tackle patient consent, authorization
  • VA launches patient identity theft awareness campaign
  • Johns Hopkins privacy breach update: Patient counseling
  • Privacy and Security Tiger Team lays out 2014 agenda
  • More Hospitals Invest Spending in Healthcare Data Security
  • PHI Data Security at Risk in Medtronic’s N’Vision Programmer
  • Accidental and Unauthorized Emails Create PHI Security Issues
  • How Automation, Orchestration Impact Healthcare IT Security
  • Healthcare BYOD: Choosing the right mobile security vendor
  • FTC Settles Dental Software Patient Data Encryption Case
  • Accenture: Healthcare Cyberattacks to Hit $305B Over 5 Years
  • Healthcare Ransomware Attacks Soared in Q3 2017
  • 70K Notified in Tufts Health Plan Data Breach in Vendor Error
  • CA Data Breach Report: Healthcare Data Encryption Necessary
  • Are Small Healthcare Facilities Prepared for Data Breaches?
  • EHRA: National patient identity matching strategy needed
  • ONC Privacy Policy Snapshot Challenge Wants Online Patient Tool
  • Health data breach roundup: Tufts Health Plan, Iowa DHS
  • Can Healthcare Employees Properly Identify Phishing Emails?
  • Ransomware Attack Worries Healthcare IT Pros the Most
  • Conn. Seeks Health Data Encryption Policy
  • HHS posts final HIPAA omnibus rule
  • Securing different forms of internal clinical communication
  • HIMSS14 session preview: Meaningful use risk assessments
  • GAO: CMS, other agencies inconsistent in breach response
  • McLean Hospital Pays Massachusetts $75,000 for 2015 Breach
  • 3 Tips for Managing the Healthcare Security Threat Landscape
  • Implementing Executive Level Healthcare Cybersecurity Training
  • Why doesn’t healthcare attract more IT security pros?
  • Managing, provisioning internal healthcare applications
  • Stolen Computer Hard Drives Lead to Health Data Breach in VA
  • Majority of Patients Willing to Share Health Data, Says ONC
  • UPMC mails patient data breach notification letters
  • Delaware Guidance Services Ransomware Attack Impacts 50,000
  • National Cybersecurity Strategy Suggested in New Report
  • Arizona urology clinic reports health data breach
  • Ransomware Attack Mitigation in Updated ONC SAFER Guide
  • Fight Healthcare Ransomware with National HIT Safety Center
  • HIPAA’s impact on use of health cloud services, business associates
  • FTC Releases Data Breach Response Guidance for Businesses
  • HIMSS survey: Mobile health security remains chief concern
  • Blockchain Vendors Team with MDW on Medical Imaging Security
  • Why Healthcare is a ‘Sitting Duck’ in Data Protection Measures
  • Oklahoma Government in Row Over Alleged HIPAA Violation
  • Key Reminders for Strong Healthcare Cloud Security
  • UCHealth picks Office 365: The BAA effect on cloud security
  • NRAD Medical Associates notifies 97,000 patients of breach
  • How Compliance, Data Security Needs Shift with Big Data Push
  • Indiana University Health notifies patients of data breach
  • Top healthcare CISO concerns: Finding the data, BYOD risks
  • Laptop with PHI Stolen from Oregon Employee’s Car
  • Health Data Sharing Bill Passes House in 344-77 Vote
  • Is There an Ethical Obligation for Health Data Sharing?
  • Months-Long Phishing Attack on Rehab Center Breaches Patient Data
  • NC Data Breach Legislation Accounts for Ransomware Attacks
  • How MyHealthDirect Achieved HITRUST Certification
  • Why Strong Cybersecurity Measures Require Collaboration
  • Student PHI Security, Data Breaches Addressed in Calif. Guide
  • EHR Interoperability Needs Better Guidance, Say Senators
  • HITRUST Updates Healthcare Cybersecurity Approach
  • St. Jude Disputes Alleged Medical Device Security Issues
  • Incentivize Cybersecurity Best Practices for Data Security
  • Report Finds 16.6M Affected by 2016 Healthcare Data Breaches
  • Understanding the NIST Cybersecurity Framework in healthcare
  • NIST CSF, Risk Management Key for Cybersecurity Improvements
  • Coordinating a healthcare CISO’s responsibilities, policies
  • How do providers, patients come to trust EHRs and HIEs?
  • Where do ACOs fit into the HIPAA compliance landscape?
  • Why Healthcare Cybersecurity is a Risk Management Issue
  • HITPC Cites HIE Privacy, Security Challenges to Congress
  • What Does 2016 Hold for Healthcare Data Security, Storage?
  • Educating clinical users on the dangers of phishing attacks
  • HIMSS14 privacy and security educational sessions preview
  • OCR Newsletter Underlines Healthcare Authentication Importance
  • Balancing risk management and patient data security technology
  • HITPC gets answers to Stage 3 Meaningful Use security questions
  • Ore. Hopes to Fix Healthcare Security Issues with Ky. System
  • Report Discusses Best Practices for Securely Sharing Data
  • UPMC alerts employees of data breach, fraud activity
  • HIPAA and Patient Privacy at Heart of Maryland Bill
  • Homeland Security Issues Ransomware Alert for Networked Systems
  • Developing continual healthcare data security training
  • $130K NY State Settlement from Late Data Breach Notification
  • PHI Security of 20K Possibly Affected from RI Laptop Theft
  • HIMSS14: 10 healthcare data security challenges
  • Cloud Computing Security Vendors for Healthcare
  • Healthcare CISO details cloud, virtual desktop projects
  • Centura Health alerts 1,000 patients of phishing attack
  • Breaking Down the Evolution of Healthcare Phishing Scams
  • BIDMC CIO presents healthcare security plan
  • Using virtualization to increase healthcare network security
  • Phishing Attack May Impact PHI of 3.4K at CA Treatment Center
  • Latest Round of OCR HIPAA Audits Not a Reason for Panic
  • CMS Stresses Security in Healthcare Texting Clarification
  • Indianapolis hospital reports patient mailing data exposure
  • The letter highlights the Roadmap discussion on patient identifying and matching. EHRs often have separate interoperability engines to communicate with other applications, the group explained. In that scenario, EHRA asked about the scope of the privacy and security rules. For example, would the certification process be limited to the interoperability engine or the electronic health record (EHR) and other systems communicating via the interoperability engine? This is why the Roadmap should apply privacy and security protections to all system components involved in the interoperability use case.

    There must also be better training to ensure that the right privacy and security measures are being applied to keep health information secure, according to the EHRA.

    “There is a strong need for training and education to be included in the Roadmap to change behavioral and cultural understanding of the relevance of cybersecurity risks,” the letter explained. “While industry can help promote some education, most of the burden is going to fall on the government.”

    It will also be beneficial to understand how ONC envisions organizations exchanging information securely to encourage better cybersecurity. The EHRA says that it must be clear how the exchange occurs and what type of data (known threats, vulnerabilities, etc.) and listed several questions for ONC:

    • How would this be impacted by existing HIPAA business associate agreements?
    • Would this include application and/or system vulnerabilities?
    • Would there be a process and time period to allow a vendor or system owner to address discovered vulnerabilities without public disclosure?

    Along similar lines, there must also be a uniform approach for cybersecurity enforcement. However, ONC must clarify if this will include measures such as unifying state regulations or improving the protections on patient/consumer devices.

    The EHRA also spoke to data encryption, and explained that it is unnecessary to include an update for data “at rest” in the new Roadmap.

    “The decision to encrypt data at rest should be based on threat analysis,” the letter explained. “It is important to differentiate between data at rest on mobile and removable devices (i.e., high risk) and data at rest in fixed secured facilities (i.e., lower risk). In each case, the value of encryption as a security control is limited to providing protection from direct media access but provides little or no protection from improperly accessed applications or hacked user accounts.”

    The same suggestion applies to “in transit” data as well, as the EHRA stated that the current definition is sufficient. However, the organization added that any perceived gaps around data encryption for in transit data should be addressed to help further interoperability.

    “The industry would benefit from any guidance ONC has to offer,” the EHRA explained. “However, encryption is one of many security controls available and any additional guidance would need to be holistic in its approach to addressing the larger issue of cybersecurity.”


    SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

    HIPAA Compliance
    Data Breaches

    Our privacy policy

    no, thanks

    Continue to site...