- EHR Pilot Issues Spur USAF Spending on Health IT Infrastructure
- HHS Warns Health IT Infrastructure Could Put Patient Data At Risk
In February 2018, the GAO recommended that HHS work with the Department of Agriculture to improve critical infrastructure protection. This involves consulting with industry sector partners to develop methods for determining the level and type of cybersecurity framework adoption by entities in their respective sectors. Sector partners include the sector coordinating council, Department of Homeland Security, and the National Institute of Standards and Technology.
GAO noted that HHS concurred with the recommendation and is conferring with appropriate operating divisions and agencies to identify applicable methodologies for determining the level and type of cybersecurity framework adoption across the healthcare and public health sectors.
The Pandemic and All-Hazards Preparedness Reauthorization Act of 2013 (PAHPRA) manded that HHS establish an electronic public health situational awareness network capability mandated. To implement IT enhancements needed to set up this network, the GAO recommended in September 2017 that HHS secretary direct the assistant secretary of preparedness and response to conduct all IT management and oversight processes related to establishment of the network in accordance with enterprise performance life cycle framework guidance.
HHS did not agree or disagree with the GAO’s recommendations. The government watchdog warned that HHS could continue to fall short of the progress needed in order to establish an electronic public health situational awareness network capability.
Performance Measures for EHR Implementation Needed
To ensure that CMS and the Office of the National Coordinator for Health Information Technology (ONC) can monitor the effect of the electronic health record (EHR) programs and progress made toward goals, the GAO recommended that HHS direct its agencies to develop performance measures to assess outcomes of the EHR programs. These measures should include any effects on health care quality, efficiency, and patient safety and other health care reform efforts that are intended to work toward similar outcomes.
HHS neither agreed nor disagreed with this recommendation. HHS provided a variety of publicly available reports, which the department indicated showed how program participants were progressing in the EHR programs. However, in reviewing those materials, GAO did not see evidence that HHS had developed outcome-oriented performance measures that align with the intended outcomes of the EHR programs.
In 2018, CMS changed the name of these programs to the Promoting Interoperability programs to focus on improving interoperability and patients’ access to health information. CMS officials noted that the agency is working to develop related outcome-based measures. To fully implement this recommendation, CMS needs to develop performance measures that enable the agency to assess whether the Promoting Interoperability programs are indeed improving outcomes, GAO stressed.
“The nation’s critical infrastructure provides the essential services—including health care—that underpin American society. The infrastructure relies extensively on computerized systems and electronic data to support its missions,” the GAO report observed.
“However, serious cybersecurity threats to the infrastructure continue to grow and represent a significant national security challenge. Additionally, recent data breaches have highlighted the importance of ensuring the security of health information, including Medicare beneficiary data. Such data are created, stored, and used by a wide variety of entities, such as health care providers, insurance companies, financial institutions, researchers, and others,” it noted.