After Hacks, ONC Emphasizing ID and Access ManagementChief Privacy Officer Also Calls on EHR Vendors to Compete Based on Security
After the recent string of major hacker attacks, many healthcare providers are "like deer in headlights; they don't know what to do," says Lucia Savage, chief privacy officer at the Office of the National Coordinator for Health IT. So, to help address the issue of ensuring appropriate health data access, ONC, a unit of the Department of Health and Human Services, is focusing more attention on identity and access management issues, she says.
"ONC has particular capabilities and responsibility to sort out what is the right security for someone accessing their [own] data, and does it have to be as strict as someone [such as a physician] accessing data on thousands and thousands of people," she says in an exclusive interview with Information Security Media Group. Her comments came after her Sept. 2 presentation at an annual HIPAA security conference in Washington, D.C., hosted by HHS and the National Institute of Standards and Technology.
ONC is attempting to help healthcare providers understand the risks tied to users in various roles who access electronic health records systems "and the security that needs to go with those roles," she says.
Relying on EHR Vendors
Healthcare providers depend on software developers to produce electronic health record systems that meet certain criteria for security, she stresses. That's similar to consumers "who expect that car manufacturers will make the car safe for you. I think we should encourage our developers and vendors ... to race to the top with security. Start competing on who has the more secure, interoperable system for sale."
Savage also notes that ONC is collaborating with the Federal Trade Commission, the HHS Office for Civil Rights and the Food and Drug Administration to offer "online ability for developers to create new technology innovations and to know what [federal] rules environment they need to have their products operate in." A website for those developing new technologies, to be launched next spring by the FTC, will bring together various security-related and other resources from those agencies, such as guidance and recommendations, she says.
In the interview (see audio link below photo), Salvage also discusses:
- The status of the next phase of ONC's draft interoperability roadmap, which was first released in January;
- The problem of "information blocking" by EHR vendors and healthcare providers;
- The impact of the impending departure of ONC leader Karen DeSalvo, M.D., if her appointment to a new HHS role is confirmed by the Senate.
Savage was appointed ONC chief privacy officer in October 2014 by HHS Secretary Sylvia Mathews Burwell. Before joining ONC, she was senior associate general counsel at United Healthcare. Previously, Savage was general counsel at the Pacific Business Group on Health and compliance manager at Stanford University.