Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Interview with ICSA Labs About EHR Certification

Posted on January 31, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

After hearing the news about CCHIT shutting down it’s EHR certification business, I thought it would be interesting to interview ICSA Labs, the EHR Certification body that CCHIT recommended to its users. The following is an interview with George Japak, Managing Director at ICSA Labs.

Is there a backlog of EHR vendors that want to schedule test dates with ICSA labs?  

A: There is no backlog. Since ICSA Labs received its ONC authorization, it has been our intent to grow our healthcare programs and offer the best testing and certification program in the industry. Over time we have ramped up our testing team and we have a deep pool of very experienced testers on staff. We have been getting a steady stream of news customers and inquiries and expect the CCHIT announcement will accelerate the pace.  At this point we have the capacity to test applicants as they are prepared to do so.

Is ICSA Labs able to support the onslaught of EHR companies that will come over from CCHIT?  Will that cause any delays on getting EHRs certified?

A: ICSA Labs at this point does not anticipate any delays. The ONC program was designed so that vendors and product developers would have a choice when it came to testing and certification. We were not the first lab to be authorized, but we knew that given the opportunity we would be able to deliver a program where customers would experience high satisfaction.

In my post, I suggested that the economics of EHR certification aren’t all that great.  Especially if you have a legacy cost structure like CCHIT.  Is the secret to ICSA’s success having a broader certification business beyond just EHR?

A: ICSA Labs has been in business since 1989, we have a number of accreditations to support an array of certification and testing programs, such as the IHE USA Certification program which just kicked off its second year at the 2014 IHE North American Connectathon. Our business is diverse and we leverage our capabilities across our business. We are used to doing business in competitive markets, so it has always been important for our programs and cost structure to emphasize efficiency and effectiveness and those benefits are passed onto our customers. Our testing and certification programs have always been competitively priced and efficient yet rigorous and done superior quality.

How much more complex is 2014 EHR certification compared with 2011 from an ONC-ACB perspective? 

A: As any recently certified company can attest to, the 2014 Edition criteria are significantly more complicated than the 2011 Edition. There are more test tools to maintain; more test data sets to review; frequent revisions and updates to the criteria and additional types of attestation to review. The time to complete testing has close to doubled and there are more requirements as they pertain to surveillance. After the 2011 Edition criteria, ICSA Labs asked for ONC to raise the bar, and they did. For ICSA Labs the added complexity was not unexpected.

The timelines for meaningful use stage 2 are starting to get squeezed.  Will the majority of EHR vendors be 2014 certified and ready in time?

A: There will always be stragglers, but I believe a majority of EHR vendors will be 2014 certified and ready in time for Meaningful Use 2. There has been an uptick in the vendors getting certified over the last few months. Providers and hospitals however are a different story, and they may feel the squeeze in terms of the timeline to purchase, implement and begin meaningfully using their EHR system. ONC extended the Stage 2 timeline to relieve some of that pressure.

I’ve heard that in some cases the ONC-CPHL has been slow at putting up newly certified EHRs.  Have you seen this?  Do you have a bunch of 2014 certified EHR vendors that haven’t been listed on ONC-CPHL yet?

A: The ONC-CHPL is generally responsive to our concerns and we work with them as they continue to refine new features like links to the public test results summary.

Guest Post: ONC-ATCB ICSA Labs – The Future of EHR Testing Requires Security and Privacy Enhancements

Posted on August 25, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Post – Amit Trivedi – As the healthcare program manager for ICSA Labs, Amit Trivedi spearheads the lab’s overall efforts in the healthcare industry, including launching and managing the 2011/2012 Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB) certification program.


We all know there is no such thing as perfect security. All we can do is try to mitigate as many risks as possible. In this regard, there are areas related to information security that the current ONC-ATCB 2011/2012 (commonly referred to as meaningful use) certification testing does not yet address and that the health IT community should be aware of when implementing systems.

ICSA Labs is an Office of the National Coordinator-Authorized Testing and Certification Body (ONC-ATCB), designated to test both complete and modular electronic health record (EHR) technologies under the auspices of the federal government’s Temporary Certification Program. ICSA Labs has a history rich in the certification of security products. We have been testing security products and developing test criteria for more than two decades and we understand the importance of raising security awareness in the health IT community and helping Eligible Providers and Hospitals understand what meaningful use EHR certification testing does and doesn’t cover.

It is important to remember that regardless of the number of security features a product has, an incorrect or incomplete implementation can introduce vulnerabilities or compromise the security of the system. Certification testing can really only demonstrate that a product is capable of being used securely, not that its security can never be compromised.

Testing bodies must test products within the scope of approved test procedures. As an organization that has developed testing procedures and methodologies, we understand that there is a delicate balancing act when developing requirements so that general concepts and capabilities are covered by the testing, but the testing process is not designed so specifically as to stifle innovation in new products. As such, we recommend that end users and implementers be aware of these requirements when deploying ONC-ATCB 2011/2012 certified products.

Encryption Requirements Do Not Address the “What”

Consider the encryption requirements (criteria 170.302.u and 170.302.v). The current testing criteria require FIPS 140-2 level encryption. This an excellent way to require products to support some of the best levels of encryption available today, and that they are also in line with other federal encryption requirements.

One could compare encryption to a bank vault. You might purchase the most secure, unbreakable vault in the world, but if you don’t put your valuables in the vault, it won’t be of any help when there is a break-in. The current meaningful use testing procedures do not dictate what must be encrypted. Ultimately it falls to end users to make a determination as to how they want to implement security – hopefully basing the decision on a risk-based approach. Fortunately, meaningful use testing and certification follows a staged approach to getting from where we are today to where we’d like to be in the future. The meaningful use certification is planned to be rolled out in three stages. Right now, we are in the midst of Stage 1. Some recommendations to the ONC for Stage 2 security criteria include addressing things like encrypting data at rest (including data in datacenters and mobile devices) – something that is not part of the Stage 1 requirements.

Negative Testing Examines the Unexpected

Another area to highlight is related to negative testing, which is currently out of scope for ONC-ATCBs. The testing performed today relies on giving the EHR an expected input and verifying that the expected result is met. Negative testing, however, is the concept of giving unexpected or invalid inputs to a system and verifying receipt of an expected result (typically, that the data is not accepted or an error is generated that does not crash the system). Negative testing is common throughout ICSA Labs’ proprietary security testing programs and something we feel should be incorporated into future testing of EHR technologies under the ONC Certification program.

Consider the authentication and access control requirements (criteria 170.302.t and 170.302.o). Some of you may be aware of an old Unix bug that resulted in the operating system being unable to correctly support passwords over eight characters. If the password was 12 characters long, a user only needed to enter the first 8 characters to be allowed to login. This made password cracking on Unix servers much easier, and because the system allowed the entry of a longer password, most users were unaware of this limitation.

ICSA Labs has discovered the same or similar problems when testing products in our proprietary security certification programs, and the primary way we discover this is by negative testing. For example, we configure a password greater than eight characters, and then we attempt to login to the system using only the first eight characters. This should be treated as invalid by the system and rejected. However, the meaningful use EHR testing only tests that the system accepts valid passwords. There is no testing done on the system’s acceptance or rejection of invalid passwords.

The Future of EHR Testing Must Increase Security, Privacy

As we progress to the next stages of meaningful use certification, the requirements should begin to look at other areas of security, such as application testing for vulnerabilities like buffer overflows, SQL Injection, and cross-site scripting attacks. These are all examples of security testing best practices. In many instances, ONC has signaled its flexibility in allowing third-party products to complement functionality of EHR technologies, which means that not all of the functionality needs to be native to the product. This can allow EHR developers to focus on functionality that their customers are looking for, while at the same time keeping security as an important consideration in the product life cycle development.

It is our hope that future stages of meaningful use testing will raise the bar and specify how and when features like encryption should be used and the scope of testing will be expanded to include things like negative testing. As the meaningful use criteria evolve, it is critical that both the criteria and testing procedures are developed in ways that consider the long-term security and privacy of patient health records.  

Two More ONC-ATCB EHR Certification Bodies

Posted on December 10, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today, HHS announced two more organizations that have been approved as ONC-ATCB for EHR certification:
SLI Global Solutions – Denver CO
Date of authorization: December 10, 2010.
Scope of authorization: Complete EHR and EHR Modules.

ICSA Labs – Mechanicsburg PA
Date of authorization: December 10, 2010.
Scope of authorization: Complete EHR and EHR Modules.

I’ve actually met with both of these organization. I met with SLI Global Solutions in Denver when I was attending AAFP. I wrote this blog post about SLI Global Solutions as an ONC-ATCB EHR Certification body after my visit with them. I’ll be getting more information from them which I’ll post on this or EMR and HIPAA as I get it.

ICSA Labs is an Independent Division of Verizon Business. I met with the CMO of Verizon at last year’s HIMSS where he told me that ICSA labs would become a certifying body (sorry I can’t find the post right now).

Both are very legitimate organizations with some definite interest and expertise in the healthcare space. For example, Verizon is making a big play with their Verizon HIE product offering.

I’ll see about getting more details on each of these new EHR certifying bodies so that we can see how they compare against the other ONC-ATCB. 5 EHR Certifying bodies. That’s probably enough to keep it competitive.