Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Guest Post: ONC-ATCB ICSA Labs – The Future of EHR Testing Requires Security and Privacy Enhancements

Posted on August 25, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Post – Amit Trivedi – As the healthcare program manager for ICSA Labs, Amit Trivedi spearheads the lab’s overall efforts in the healthcare industry, including launching and managing the 2011/2012 Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB) certification program.


We all know there is no such thing as perfect security. All we can do is try to mitigate as many risks as possible. In this regard, there are areas related to information security that the current ONC-ATCB 2011/2012 (commonly referred to as meaningful use) certification testing does not yet address and that the health IT community should be aware of when implementing systems.

ICSA Labs is an Office of the National Coordinator-Authorized Testing and Certification Body (ONC-ATCB), designated to test both complete and modular electronic health record (EHR) technologies under the auspices of the federal government’s Temporary Certification Program. ICSA Labs has a history rich in the certification of security products. We have been testing security products and developing test criteria for more than two decades and we understand the importance of raising security awareness in the health IT community and helping Eligible Providers and Hospitals understand what meaningful use EHR certification testing does and doesn’t cover.

It is important to remember that regardless of the number of security features a product has, an incorrect or incomplete implementation can introduce vulnerabilities or compromise the security of the system. Certification testing can really only demonstrate that a product is capable of being used securely, not that its security can never be compromised.

Testing bodies must test products within the scope of approved test procedures. As an organization that has developed testing procedures and methodologies, we understand that there is a delicate balancing act when developing requirements so that general concepts and capabilities are covered by the testing, but the testing process is not designed so specifically as to stifle innovation in new products. As such, we recommend that end users and implementers be aware of these requirements when deploying ONC-ATCB 2011/2012 certified products.

Encryption Requirements Do Not Address the “What”

Consider the encryption requirements (criteria 170.302.u and 170.302.v). The current testing criteria require FIPS 140-2 level encryption. This an excellent way to require products to support some of the best levels of encryption available today, and that they are also in line with other federal encryption requirements.

One could compare encryption to a bank vault. You might purchase the most secure, unbreakable vault in the world, but if you don’t put your valuables in the vault, it won’t be of any help when there is a break-in. The current meaningful use testing procedures do not dictate what must be encrypted. Ultimately it falls to end users to make a determination as to how they want to implement security – hopefully basing the decision on a risk-based approach. Fortunately, meaningful use testing and certification follows a staged approach to getting from where we are today to where we’d like to be in the future. The meaningful use certification is planned to be rolled out in three stages. Right now, we are in the midst of Stage 1. Some recommendations to the ONC for Stage 2 security criteria include addressing things like encrypting data at rest (including data in datacenters and mobile devices) – something that is not part of the Stage 1 requirements.

Negative Testing Examines the Unexpected

Another area to highlight is related to negative testing, which is currently out of scope for ONC-ATCBs. The testing performed today relies on giving the EHR an expected input and verifying that the expected result is met. Negative testing, however, is the concept of giving unexpected or invalid inputs to a system and verifying receipt of an expected result (typically, that the data is not accepted or an error is generated that does not crash the system). Negative testing is common throughout ICSA Labs’ proprietary security testing programs and something we feel should be incorporated into future testing of EHR technologies under the ONC Certification program.

Consider the authentication and access control requirements (criteria 170.302.t and 170.302.o). Some of you may be aware of an old Unix bug that resulted in the operating system being unable to correctly support passwords over eight characters. If the password was 12 characters long, a user only needed to enter the first 8 characters to be allowed to login. This made password cracking on Unix servers much easier, and because the system allowed the entry of a longer password, most users were unaware of this limitation.

ICSA Labs has discovered the same or similar problems when testing products in our proprietary security certification programs, and the primary way we discover this is by negative testing. For example, we configure a password greater than eight characters, and then we attempt to login to the system using only the first eight characters. This should be treated as invalid by the system and rejected. However, the meaningful use EHR testing only tests that the system accepts valid passwords. There is no testing done on the system’s acceptance or rejection of invalid passwords.

The Future of EHR Testing Must Increase Security, Privacy

As we progress to the next stages of meaningful use certification, the requirements should begin to look at other areas of security, such as application testing for vulnerabilities like buffer overflows, SQL Injection, and cross-site scripting attacks. These are all examples of security testing best practices. In many instances, ONC has signaled its flexibility in allowing third-party products to complement functionality of EHR technologies, which means that not all of the functionality needs to be native to the product. This can allow EHR developers to focus on functionality that their customers are looking for, while at the same time keeping security as an important consideration in the product life cycle development.

It is our hope that future stages of meaningful use testing will raise the bar and specify how and when features like encryption should be used and the scope of testing will be expanded to include things like negative testing. As the meaningful use criteria evolve, it is critical that both the criteria and testing procedures are developed in ways that consider the long-term security and privacy of patient health records.  

101 Tips to Make Your EMR and EHR More Useful – EHR Tips 56-60

Posted on August 22, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time for the next entry covering Shawn Riley’s list of 101 Tips to Make your EMR and EHR More Useful. I hope you’re enjoying the series.

If you want to see my analysis of the other 101 EMR and EHR tips, I’ll be updating this page with my 101 EMR and EHR tips analysis. So, click on that link to see the other EMR tips.

60. Reporting, reporting, reporting, reports
What’s the point in collecting the data if you can’t report on it? I’ve before about the types of EMR reports that you can get out of the EMR system. The reports a hospital require will be much more robust than an ambulatory practice. In fact, outside of the basic reports (A/R, Appointments, etc), most ambulatory practices that I know don’t run very many reports. I’d say it’s haphazard report running at best.

Although, I won’t be surprised if the need to report data from your EHR increases over the next couple years. Between the meaningful use reporting requirements and the movement towards ACO’s, you can be sure that being able to have a robust reporting system built into your EHR will become a necessity.

59. Are the meaningful use (MU) guidelines covered by your product?
Assuming you want to show meaningful use, make sure your EHR vendor is certified by an ONC-ATCB. Next, talk to some of their existing users that have attested to meaningful use stage 1. Third, ask them about their approach for handling meaningful use stage 2 and 3. Fourth, evaluate how they’ve implemented some of the meaningful use requirements so you get an idea of how much extra work you’ll have to do beyond your regular documenting to meet meaningful use.

58. It they aren’t CCHIT certified take a really really hard look
Well, it looks like this tip was written pre-ONC-ATCB certifying bodies. Of course, readers of this site and its sister site, EMR and HIPAA, will be aware that CCHIT Has Become Irrelevant. Now it’s worth taking a hard look if the EHR isn’t an ONC-ATCB certified EHR. There are a few cases where it might be ok, but they better have a great reason not to be certified. Not because the EHR certification provides you any more value other than the EHR vendor will likely need that EHR certification to stay relevant in the current EHR market.

57. What billing systems do you interface with?
These days it seems in vogue to have an integrated EMR and PMS (billing system). Either way, it’s really important to evaluate how your EMR is going to integrate with your billing. Plus, there can be tremendous benefits to the tight integration if done right.

56. How much do changes and customizations cost?
In many cases, you can see and plan for the customization that you’ll need as part of the EHR implementation. However, there are also going to be plenty of unexpected customizations that you don’t know about until you’re actually using your EHR (Check out this recent post on Unexpected EHR Expenses). Be sure to have the pricing for such customizations specified in the contract. Plus, as much as possible try to understand how open they are to doing customizations for their customers.

Check out my analysis of all 101 EMR and EHR tips.

Which EHR Certifying Body?

Posted on March 3, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Many of you will probably remember my post about Jim Tate and all his EHR certification experience. As I said in that post, Jim Tate knows his stuff when it comes to the EHR certification bodies (ONC-ATCB). So, I found his advice for EHR vendors on HITECH Answers pretty interesting when it comes to selecting which ONC-ATCB an EHR company should use.

You can go read the whole article, or here’s the Cliff notes version: Responsiveness and Support of the EHR certifying body is most important.

ONC ATCB EHR Certification Process

Posted on January 3, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Ok, was that enough abbreviations in the title of a post? Well, if you care about this post, you’ll probably recognize all of the abbreviations.

In a post I did on EMR and HIPAA about SureScripts as an ePrescribing ATCB, there was a comment made that possibly some of the ATCB were “in bed” with ONC in order to get their EHR certification body status. In response to the comment, Mark Joyce from SLI Global Solutions (an ATCB) provided some good insight into the process and costs associated with becoming an ATCB that can certify EHR software.

As the team lead for SLI’s application to the ONC I can assure you that our company has no political connections, traded favors or made contributions that won us our certification by the ONC. It was 10 weeks of grueling research by two independent companies (one company focusing on testing and the other certification) that resulted in a 1200 page application.

The application was in two parts: part one required both companies to expand and/or create a Quality Management System for the new process. It’s no easy task to develop both a 17025 and a Guide 65 conformant QMS. Part two required the applicant to have a thorough understanding of EHR architectures as well the NIST testing procedures and tools.

It was evident by the followup questions from the ONC that the application had been very carefully reviewed.

Obtaining certification from the ONC was no easy task. I am proud to be a part of our companies significant investment in the ATCB testing and certification process.

Yes, becoming an ONC-ATCB is definitely not a walk in the park to achieve. Anyone that says otherwise, likely hasn’t ever been through the process.

Two More ONC-ATCB EHR Certification Bodies

Posted on December 10, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today, HHS announced two more organizations that have been approved as ONC-ATCB for EHR certification:
SLI Global Solutions – Denver CO
Date of authorization: December 10, 2010.
Scope of authorization: Complete EHR and EHR Modules.

ICSA Labs – Mechanicsburg PA
Date of authorization: December 10, 2010.
Scope of authorization: Complete EHR and EHR Modules.

I’ve actually met with both of these organization. I met with SLI Global Solutions in Denver when I was attending AAFP. I wrote this blog post about SLI Global Solutions as an ONC-ATCB EHR Certification body after my visit with them. I’ll be getting more information from them which I’ll post on this or EMR and HIPAA as I get it.

ICSA Labs is an Independent Division of Verizon Business. I met with the CMO of Verizon at last year’s HIMSS where he told me that ICSA labs would become a certifying body (sorry I can’t find the post right now).

Both are very legitimate organizations with some definite interest and expertise in the healthcare space. For example, Verizon is making a big play with their Verizon HIE product offering.

I’ll see about getting more details on each of these new EHR certifying bodies so that we can see how they compare against the other ONC-ATCB. 5 EHR Certifying bodies. That’s probably enough to keep it competitive.

ONC-ATCB Certified EHR Breakdown by EHR Vendor

Posted on December 4, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is the third post in the series of posts(see the previous ONC-ATCB Certified EHR Breakdown and ONC-ATCB Certified EHR Breakdown by Certifying Body) looking at the EHR certification numbers put together by HITECH Answers. The following is a list of Certified EHR products by vendor:

Top 3 Vendors by number of Products Certified
– Cerner Corporation – 13 products
– Siemens Medical Solutions USA Inc – 9 products
– Epic Systems Corporation – 4 products

I guess these are the EHR software you want to avoid. Ok, that’s partially facetious. Just, can you imagine trying to battle the other 12 certified EHR to get support. Granted, most of them are likely hospital EHR and so there are usually support contracts in place to deal with this kind of thing. Don’t worry though, Allscripts should be on this list soon. I think they have something like 7 EHR software for just ambulatory right now. I guess that’s the nature of acquisitions.

It will be interesting to continue to see this evolve.

ONC-ATCB Certified EHR Breakdown by Certifying Body

Posted on December 3, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is the second post in the series of posts (see the previous ONC-ATCB Certified EHR Breakdown) looking at the EHR certification numbers put together by HITECH Answers. The following is the breakdown of EHR Certification by Certifying body:

2 Certified by Infogard
– 1 Modular Ambulatory system
– 1 Modular Inpatient system
40 Certified by Drummond
– 15 Complete Ambulatory systems
– 5 Complete Inpatient systems
– 15 Modular Ambulatory systems
– 5 Modular Inpatient systems
88 Certified by CCHIT
– 50 Complete Ambulatory systems
– 15 Complete Inpatient systems
– 11 Modular Ambulatory systems
– 12 Modular Inpatient systems

Infogard is just getting started, but CCHIT and Drummond Group are cranking them out. I’m guessing right now demand for their service is strong and they can certify them as quick as they can. It will be interesting to see what happens to these organizations post EMR Stimulus money, but they have a few years before they have to worry about that.

Of course, this is only the temporary ONC EHR Certification. ONC will have the official one and then all the EMR vendors will likely have to re-certify again. Let’s call it the EHR certifying body stimulus program.

ONC-ATCB Certified EHR Breakdown

Posted on December 2, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Many people were worried that we wouldn’t have many certified EHR available for 2011. I wasn’t one of those people, but they were out there. Seems to me that this really won’t be an issue at all. There’s 130 partial or complete EHR companies on the official ONC certified EHR list. That’s a lot of software and it’s only the beginning of December. I expect we’ll have 200 or so more ONC-ATCB certified EHR software by the first quarter of 2011.

The good people at HITECH Answers have done the hard work putting together the number of systems certified. Check out the numbers:
85 Complete EHR
– 65 Ambulatory systems
– 20 Inpatient systems
45 Modular EHR
– 27 Ambulatory systems
– 18 Inpatient systems

That’s right. 65 Complete Certified Ambulatory EHR. 27 other modular certified EHR and I’m sure that many of those are just doing the modular as a stepping stone to the full certification.

Official ONC-ATCB Certified EHR List

Posted on November 4, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

ONC and HHS have finally released the official list of ONC-ATCB Certified EHR which is essential to those providers interested in the ARRA EMR stimulus money. Of course, ONC is just providing the data that Drummond Group, CCHIT and other ONC-ATCB bodies (assuming more will start certifying) are providing them. I mentioned that we could look forward to this official list in my Drummond Group ONC-ATCB EHR Certifications post and my CCHIT ONC-ATCB EHR certifications post.

Looks like quite a few more EMR vendors are now ONC-ATCB certified since those first posts. Watch for many many more (almost all) of the EMR vendors to be certified by the end of the year or early 2011.

Looks like ONC is working on a version 2 of the list. Here’s their description of the next version of the ONC-ATCB Certified EHR list:

Please note: This is Version 1.0 of the Certified Health IT Product List (CHPL). Version 2.0 is under development and is expected to provide additional information, such as a list of the Clinical Quality Measures to which a given product was tested; and additional functionality, such as different ways to query and sort the data for viewing. The later version will also provide the above-mentioned reporting number that will be accepted by CMS for purposes of attestation under the EHR (“meaningful use”) incentives programs.

That number is going to be key next year for those wanting stimulus money. I’m glad they’re making access to the reporting number needed for attestation for EHR incentives easy to find.

Only problem with the above list is that it hasn’t been updates since Nov. 1. I wonder how often they’ll update it. Although, it probably won’t matter much in the long run.

ONC-ATCB Certified EHR Now Available

Posted on October 4, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In case you missed the announcements on Thursday and Friday, Drummond Group announced the first ONC-ATCB certified EHR (3 of them) and CCHIT announced their first set of ONC-ATCB certified EHR (21 full ONC-ATCB EHR). I also got word today that HHS finally updated their website with the Drummond Group ONC-ATCB.

Of course, we have a few hundred more EHR software out there that are going to be announced. It’s just a matter of how quickly the ONC-ATCB are going to be able to pump out the certifications. Not to mention the EMR vendors completing the list of requirements.

As one EMR vendor told me this weekend. We could have easily rolled out the features that the EHR certification requires to become certified. However, that wouldn’t have been very useful for our users. Then, he went on to say that he’d rather spend an extra month or two to make the certified EHR requirements part of a really nice and useful dashboard than to just roll out some shoddy features that satisfy the EHR certification requirements, but don’t make sense to doctors.

Makes you wonder about these first EHR vendors that have been certified. Just because the EMR is an official ONC-ATCB doesn’t mean you will actually want to use that EMR software.