FISMA is becoming a roadblock for electronic health record implementation, Government Health IT magazine reported this week.
The Federal Information and Security Management
Act (FISMA), passed by Congress in 2002 to better protect the federal
government against cyber attacks, mandates information security standards
for all federal agencies. This includes the flow of data between the Centers
for Medicare and Medicaid (CMS) and their contractors—over 200 hundred of
them, processing billions of Medicare claims. The new worry from CMS, according to Government Health IT, is that
healthcare providers sharing EHR files will be required to meet FISMA
standards, which include an annual security test and FISMA
certification.
A CMS spokesperson is quoted as saying that this would be
more than "burdensome" for both CMS and health care providers and
organizations.
The conundrum is that information
will be moving between the HIPPA world (the private sector) and the FISMA world
(the government)—that latter of which is much more secure, from a protocol/standards perspective. Federal agencies are held to a
higher standard than the private sector with respect to information
security.
For a long time, consumer groups have argued that HIPPA is a
weak standard for patient information security. Yet, many worry that if
FISMA is applied to the private sector, there will be a compliance crisis that
will be costly to remedy. But why shouldn’t the transfer of health information be held to the highest
security standards? Advocates of a middle ground argue "yes,"
but not quite as stringent as FISMA. They standards should be more of a more of a "HIPPA-plus" or "FISMA-lite," in the words of Vish Sankaran, a program director
for the Federal Health Architecture project to connect health information
entities.
In other words, get health care providers better engaged in securing healthcare information but do not stunt the growth of the EHR movement by placing the
bar too high.
In the end, the Office of Management and Budget will
dictate the debate through their determination of what falls under the FISMA
umbrella. In August of 2008, OMB issued some guidance, stating that FISMA
applies to groups that “possess or
use Federal information—or which operate, use or have access to Federal
information systems (whether automated or manual)—on behalf of a Federal
agency.” OK, that could include a ton of
organizations.
Confusing? You bet. This is government language after, all. Much like statistics, just mold it to your current
need.
There is still debate over whether, for example, health information exchanges (HIEs) that "exchange" information but do not "access" federal information systems need to be FISMA compliant.
In any event, there is a strong and important need
to address information security in the field of healthcare. Will FISMA be the best vehicle for achieving information security with
respect to patient information? That remains unresolved,
but hopefully, the work to find a middle ground, coaxing the private sector
into requiring more robust security standards, will be the outcome.
More on EHRs:
[+] GE offers no-interest loans to promote EHR software
[+] Community Health Centers: An EHR helping hand, please?
[+] States take bigger role in promoting EHR adoption
[+] Doctors aided by emerging offshoot of EHR software