September 22, 2019

September 20, 2019

Subscribe to Latest Legal News and Analysis

Ransomware Scandals Rock Hospital Systems; HHS’ Proposed Rule May Help

Hospital systems are on notice for ransomware attacking their health IT systems after three hospital systems are reported to be victims of computer viruses. In response, one hospital system paid almost $17,000 in Bitcoin to retrieve their EHR, while the other two hospital systems worked off paper records and backup systems for a few days while their main IT systems were taken down to flush out the virus.  Coincidentally, the Department of Health and Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) recently proposed a new rule designed to enhance the safety and security for health IT users. While certified health IT does not necessarily protect against the newest computer viruses, HHS’ proposed rulemaking may ensure that health IT products continue to meet the needs of the health care system.

What is Certified Health IT?

Health IT is technology, like software, that stores, shares, and analyzes health information.  It is used by patients and doctors to communicate and share information about the patients’ health.  Health IT takes many forms, one of which is an electronic health record (EHR), or the patient’s electronic medical record.  E-prescriptions, in which the doctor communicates directly with the pharmacy to fill a patient’s prescription, is another form of health IT.

Certified health IT is health IT that is tested and reviewed by accredited certification and testing bodies against specific IT security standards.  Some of the goals of certification are to ensure that the patient’s EHR remains secure and protected, improving health care quality by reducing medical errors, and reducing health care costs resulting from incomplete information.

Proposed Rule

The proposed rule makes changes to ONC’s current certification program and its oversight over the third party bodies that currently perform the certification and testing.  The proposed rule focuses on three key areas:

  • ONC Direct Review of Certified Health IT: The proposed rule allows ONC to directly review certified health IT for which it has evidence that the certified health IT may not conform to the certification requirements. ONC could require corrective actions for these nonconformities from a health IT manufacturer.

  • Enhanced Oversight of ONC-Authorized Testing Laboratories: The proposed rule gives ONC direct oversight over the accredited testing labs by requiring the labs apply for ONC authorization.

  • Surveillance Transparency and Accountability: Certified health IT surveillance results would be publicly accessible to provide customers and users with performance information, including continued compliance. The certification and testing bodies would make such information available on their websites on a quarterly basis.

Comments are accepted until May 2, 2016.  Interested parties can comment electronically on, or send their written comments to HHS ONC at the Mary E. Switzer Building, Mail Stop: 7033A, 330 C St. NW, Washington, DC 20201.  When commenting, make sure to reference RIN 0955-AA00 when sending written comments.

© Copyright 2019 Squire Patton Boggs (US) LLP


About this Author

Sarah H. Stec, Squire Patton Boggs, International Regulations Lawyer, Life Sciences Attorney

Sarah is an associate in the Healthcare Practice in Washington DC. She has experience in assisting healthcare and life sciences companies understand new and evolving regulatory duties, including how those international regulations can work together as well as providing guidance on international corporate accreditation and regulatory issues.

202 457 6304
Robert Nauman, Health Care, Lawyer, Squire Patton Boggs

Robert has extensive experience counselling healthcare clients, including hospitals and health systems, physicians, physician groups, ambulatory surgery centers, insurers, health plans and management companies, in a variety of regulatory and transactional matters.

Robert’s areas of expertise include healthcare fraud and abuse laws, Medicare reimbursement issues, provider alignment strategies, provider enrollment, accreditation and licensure, Accountable Care Organizations, provider acquisitions and affiliations, healthcare antitrust matters, insurance regulation and healthcare transactional matters.

He is a member of the Ohio State Bar Associations and the American Health Lawyers Association.

614 365 2721