• linkedin
  • Increase Font
  • Sharebar

    Weak password and security guidelines put patient health records at risk

    Federal agency monitoring EHR certification leaves door open to hackers by not requiring the use of strong passwords and other safety standards


    Strong passwords are the first line of defense against computer hackers. But a government report warns that patients are at risk because the certification process for electronic health records (EHRs) doesn’t require the use of a strong password.

    READ: Hospitals, clinics not prepared for IT risks

    An audit by the U.S. Department of Health and Human Services' Office of Inspector General (OIG) takes issue with the criteria used by the Office of the National Coordinator for Health Information Technology (ONC) to certify EHR vendors.

    "Our audit revealed vulnerabilities with the Temporary EHR certification program,” said the report.  “These vulnerabilities could allow hackers to penetrate EHR systems, thereby compromising the integrity, confidentiality, and availability of patient information stored in and transmitted by a certified EHR."

    The OIG noted that the acceptance of a single character password for certification was inadequate and pointed to the need for more complex passwords.

    The ONC currently deputizes private bodies, known as Authorized Testing and Certified Bodies (ATCBs), to certify that records meet defined minimum technology standards in seven information technology areas: access control, emergency access, automatic log-off, audit log, integrity, authentication, and general encryption. The agency also defines the criteria for the certification process.

    The ONC responded that the temporary process was no longer active and that its 2014 certification criteria had “strengthened test procedures for common security and privacy features for inclusion in EHRs,” but the OIG says that the 2014 criteria still did not address common security issues, such as password complexity and/or logging emergency access or user privilege changes.

    Since 2009, 32 million Americans have had their medical records compromised, according to an HHS website. Some of the breaches resulted from employee carelessness,  but many point directly to password vulnerabilities and encryption issues.

    Latest hacking IT breaches HHS

    Next: Large-scale cyber breaches becoming more common


    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available

    Latest Tweets Follow