Government updates: GAO scores HHS on cybersecurity issues; patient issues largely omitted from EHR notes in VA study

The Government Accountability Office (GAO) latest report remains critical of HHS’ leadership on cybersecurity issues. Using the immense Change Healthcare data breach as a glaring example, GAO’s latest report released 13 November outlines HHS’s continued ‘challenges’ in ensuring that, among Federal agencies, it takes the lead in strengthening cybersecurity in the healthcare sector. For instance, HHS coordinates with the Cybersecurity and Infrastructure Security Agency (CISA), which is the national coordinating agency for critical infrastructure security and resilience. Where HHS comes up short (again) against GAO prior reports and recommendations is:

  • Weakness in tracking how healthcare organizations are effectively mitigating ransomware 
  • Not yet assessing how healthcare organizations are adopting the ransomware-specific practices outlined in the NIST (National Institute of Standards and Technology) cybersecurity framework centered on identifying, detect, protect, respond, and recover.
  • Inability to document the effectiveness of support HHS provides to healthcare organizations, such as guidance documents, training, job aids, and threat briefings to help the sector manage ransomware risks.   
  • Not conducting a comprehensive sector-wide cybersecurity risk assessment addressing IoT (Internet of Things) and OT (operational technology) devices and systems common in healthcare.
  • Using their Administration for Strategic Preparedness and Response (ASPR) to fully and consistently monitor its working groups supporting the healthcare sector on progress against goals, responsibilities, and on their collaboration.
  • The Centers for Medicare and Medicaid Services (CMS) has had requirements since 2020 with parameters that conflicted with those established by other federal agencies that share data with states, such as the Social Security Administration.
  • CMS has policies to assess states’ cybersecurity but does not coordinate with other federal agencies on the assessments.

GAO’s latest report recommended that:

  • HHS, in coordination with CISA and sector entities, determines the sector’s adoption of leading cybersecurity practices that help reduce ransomware risk.
  • HHS, in coordination with CISA and sector entities, develops evaluation procedures to measure the effectiveness of its support in helping to reduce ransomware risk.
  • HHS includes IoT and OT devices as part of the risk assessments of the sector’s cyber environment.
  • ASPR takes action to fully and consistently demonstrate leading collaboration practices .
  • CMS 1) solicits input from relevant federal agencies on revisions to its security policy to ensure consistency across cybersecurity requirements for state agencies. 2) revises its assessment policies to maximize coordination with other federal agencies.

Highlights and full report 

EHR notes also come up short when it comes to issues brought up by patients–and include information outside the clinician-patient transcript. This observational study from the Regenstrief Institute by two Indiana University medical researchers at the VA found multiple discrepancies in EHR notes that are supposed to recap the actual conversation between patient and clinician during a primary care appointment versus the actual transcript. It took place at four primary care clinics at a midwestern Veterans Affairs (VA) Medical Center and one associated VA community-based outpatient clinic, all using the current VistA EHR. Video and audio recordings were used to create transcripts that were compared with the EHR notes.

The discrepancies were bi-directional. According to the study, “fewer than half of issues that patients initiated in discussion were included in notes, and nearly half of notes referred to information or observations that could not be verified.” There was also a difference in recording by who brought it up. For instance, psychosocial issues were common in patient-clinician discussions. “The researchers found that when the clinician initiated discussion about these issues, 92 percent of notes in the EHR included them, but when the patient initiated discussion, only 45 percent did.”

There were also gaps in quality that were questioned in the study:

  • 8% of notes lacked an assessment and plan. Were some assessments truly incomplete, and some important plans actually skipped?
  • 18% of notes were missing follow-up plans. Were some follow-up plans never arranged?
  • 26% lacked reports of diagnostic test results. Were such results simply absent or unimportant, or were important findings unavailable, difficult to access, or overlooked?

“We recognize that certain variations in EHR documentation stem from authors’ preferences or styles about how to organize or structure notes. At the same time, notes should not lack critical elements.” Reasons for omissions could include “lack of recognition of the significance of a problem by clinicians, forgetfulness while writing notes, insufficient time to complete records accurately and thoroughly; belief that the issue had already been addressed; or prioritization of other concerns.”

Both Drs. Michael Weiner and Richard Frankel are researchers in various aspects of health information technology to improve patient outcomes and doctor-patient communication. They are affiliated with the US Department of Veterans Affairs Health Services Research and Development Center for Health Information and Communication, as well as professors of medicine at Indiana University’s medical school. Regenstrief Institute article 12 Nov, BMC Primary Care published study 18 July 2024

Categories: Latest News and Opinion.