Guest Post: ONC-ATCB ICSA Labs – The Future of EHR Testing Requires Security and Privacy Enhancements

Guest Post – Amit Trivedi – As the healthcare program manager for ICSA Labs, Amit Trivedi spearheads the lab’s overall efforts in the healthcare industry, including launching and managing the 2011/2012 Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB) certification program.

We all know there is no such thing as perfect security. All we can do is try to mitigate as many risks as possible. In this regard, there are areas related to information security that the current ONC-ATCB 2011/2012 (commonly referred to as meaningful use) certification testing does not yet address and that the health IT community should be aware of when implementing systems.

ICSA Labs is an Office of the National Coordinator-Authorized Testing and Certification Body (ONC-ATCB), designated to test both complete and modular electronic health record (EHR) technologies under the auspices of the federal government’s Temporary Certification Program. ICSA Labs has a history rich in the certification of security products. We have been testing security products and developing test criteria for more than two decades and we understand the importance of raising security awareness in the health IT community and helping Eligible Providers and Hospitals understand what meaningful use EHR certification testing does and doesn’t cover.

It is important to remember that regardless of the number of security features a product has, an incorrect or incomplete implementation can introduce vulnerabilities or compromise the security of the system. Certification testing can really only demonstrate that a product is capable of being used securely, not that its security can never be compromised.

Testing bodies must test products within the scope of approved test procedures. As an organization that has developed testing procedures and methodologies, we understand that there is a delicate balancing act when developing requirements so that general concepts and capabilities are covered by the testing, but the testing process is not designed so specifically as to stifle innovation in new products. As such, we recommend that end users and implementers be aware of these requirements when deploying ONC-ATCB 2011/2012 certified products.

Encryption Requirements Do Not Address the “What”

Consider the encryption requirements (criteria 170.302.u and 170.302.v). The current testing criteria require FIPS 140-2 level encryption. This an excellent way to require products to support some of the best levels of encryption available today, and that they are also in line with other federal encryption requirements.

One could compare encryption to a bank vault. You might purchase the most secure, unbreakable vault in the world, but if you don’t put your valuables in the vault, it won’t be of any help when there is a break-in. The current meaningful use testing procedures do not dictate what must be encrypted. Ultimately it falls to end users to make a determination as to how they want to implement security – hopefully basing the decision on a risk-based approach. Fortunately, meaningful use testing and certification follows a staged approach to getting from where we are today to where we’d like to be in the future. The meaningful use certification is planned to be rolled out in three stages. Right now, we are in the midst of Stage 1. Some recommendations to the ONC for Stage 2 security criteria include addressing things like encrypting data at rest (including data in datacenters and mobile devices) – something that is not part of the Stage 1 requirements.

Negative Testing Examines the Unexpected

Another area to highlight is related to negative testing, which is currently out of scope for ONC-ATCBs. The testing performed today relies on giving the EHR an expected input and verifying that the expected result is met. Negative testing, however, is the concept of giving unexpected or invalid inputs to a system and verifying receipt of an expected result (typically, that the data is not accepted or an error is generated that does not crash the system). Negative testing is common throughout ICSA Labs’ proprietary security testing programs and something we feel should be incorporated into future testing of EHR technologies under the ONC Certification program.

Consider the authentication and access control requirements (criteria 170.302.t and 170.302.o). Some of you may be aware of an old Unix bug that resulted in the operating system being unable to correctly support passwords over eight characters. If the password was 12 characters long, a user only needed to enter the first 8 characters to be allowed to login. This made password cracking on Unix servers much easier, and because the system allowed the entry of a longer password, most users were unaware of this limitation.

ICSA Labs has discovered the same or similar problems when testing products in our proprietary security certification programs, and the primary way we discover this is by negative testing. For example, we configure a password greater than eight characters, and then we attempt to login to the system using only the first eight characters. This should be treated as invalid by the system and rejected. However, the meaningful use EHR testing only tests that the system accepts valid passwords. There is no testing done on the system’s acceptance or rejection of invalid passwords.

The Future of EHR Testing Must Increase Security, Privacy

As we progress to the next stages of meaningful use certification, the requirements should begin to look at other areas of security, such as application testing for vulnerabilities like buffer overflows, SQL Injection, and cross-site scripting attacks. These are all examples of security testing best practices. In many instances, ONC has signaled its flexibility in allowing third-party products to complement functionality of EHR technologies, which means that not all of the functionality needs to be native to the product. This can allow EHR developers to focus on functionality that their customers are looking for, while at the same time keeping security as an important consideration in the product life cycle development.

It is our hope that future stages of meaningful use testing will raise the bar and specify how and when features like encryption should be used and the scope of testing will be expanded to include things like negative testing. As the meaningful use criteria evolve, it is critical that both the criteria and testing procedures are developed in ways that consider the long-term security and privacy of patient health records.  

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • It’s a great pleasure to read your blog. I find your post very informative. Thank you for sharing your insights.
    As a reader, I consider your writing to be a great example of a quality and globally competitive output. It would be a great thrill and honor if you could share your genuine ideas and knowledge to our community, Physician Nexus. With this you can gain 1000 physician readers from over 62 countries on Nexus.
    We would love for you to visit our community. It’s free, takes seconds, and is designed for physicians only – completely free of industry bias and commercial interests.
    Janmar Delicana
    On behalf of the Physician Nexus Team

  • Janmar,
    What a terrible offer. Trying to promote a physician only community to a non-physician. Oh well. At least I have the community here that’s free of industry bias and commercial interests.

  • Thanks Amit for shining a light on the issue of security requirements for Stage 1 certificaton. The incredibly low level of these security requirements is the ‘open secret’ that ONC-ATCBs and vendors are well aware of, but probably not the EHs and EPs. I appreciate you stepping up and addressing this. Hopefully, Stage 2 will raise the bar. It needs to.


    Jim Tate

Click here to post a comment