FISMA is becoming a roadblock for electronic health record implementation, Government Health IT magazine reported this week.
The Federal Information and Security Management Act (FISMA), passed by Congress in 2002 to better protect the federal government against cyber attacks, mandates information security standards for all federal agencies. This includes the flow of data between the Centers for Medicare and Medicaid (CMS) and their contractors—over 200 hundred of them, processing billions of Medicare claims. The new worry from CMS, according to Government Health IT, is that healthcare providers sharing EHR files will be required to meet FISMA standards, which include an annual security test and FISMA certification.
A CMS spokesperson is quoted as saying that this would be more than “burdensome” for both CMS and health care providers and organizations.
The conundrum is that information will be moving between the HIPPA world (the private sector) and the FISMA world (the government)—that latter of which is much more secure, from a protocol/standards perspective. Federal agencies are held to a higher standard than the private sector with respect to information security.
For a long time, consumer groups have argued that HIPPA is a weak standard for patient information security. Yet, many worry that if FISMA is applied to the private sector, there will be a compliance crisis that will be costly to remedy. But why shouldn’t the transfer of health information be held to the highest security standards? Advocates of a middle ground argue “yes,” but not quite as stringent as FISMA. They standards should be more of a more of a “HIPPA-plus” or “FISMA-lite,” in the words of Vish Sankaran, a program director for the Federal Health Architecture project to connect health information entities. More Here EMR