CMS chief: Security standards lax for entities sharing data with CMS
Current interoperable information security standards limitations for health IT include minimum encryption standards, which are not being met by many of the 7,000 contributing entities, according to Michael Mellor, chief information security officer at the Centers for Medicare and Medicaid Services (CMS).

Mellor spoke at an assembly hearing of the Health IT Standards Committee on Nov. 19, in which he addressed health IT security issues, challenges, threats and solutions. The meeting sought input from domain experts and health practitioners on potential security issues protecting health information.

In addition to minimum encryption standards, Mellor said that the top emerging issue around data security will involve providing access to sensitive information.

The CMS shares its sensitive information with more than 7,000 various entities. Its approach to data theft, loss and misuse is focused on prevention and detection through a defense-in-depth and risk based approach to IT systems security, Mellor stated.

Under the Federal Information Security Management Act (FISMA), encryption must meet minimum standards laid out by Federal Information Processing Standards 140-2. According to Mellor, most commercial implementations of encryption do not meet this standard.

Additional gaps exist due to minimum electronic authentication requirements for certain data types under FISMA. Mellor specifically pointed out that the required two-factor electronic authentication for access to electronic personal health information (ePHI) means that CMS must manage a significant amount of user accounts and provide sufficient assurances that users are properly identified and authenticated before granting access to ePHI data.

The challenge from a security perspective, said Mellor, is making sure these 7,000 entities are performing their due diligence to protect the sensitive information.

Testimony and discussion from the hearing will be used as inputs to the Privacy and Security Workgroup’s deliberations and standardization recommendations for 2013 and beyond.

The next Health IT Standards Committee meeting is Jan. 20, 2010.