ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
SHA-1 and other secure hash algorithms can be found in FIPS 180-3 5 while more<br />
information on the security strength <strong>of</strong> certain hashing algorithms can be found in NIST<br />
Special Publication 800-107. 6<br />
Comments. Some commenters noted that §170.302(s)(2) refers to the use <strong>of</strong> the<br />
adopted standard which specifies the use <strong>of</strong> hashing to detect audit log alteration or<br />
deletion and that such a requirement is inappropriate. Other commenters recommended<br />
that hashing should not, at the present time, be used for detecting alterations to data at<br />
rest.<br />
Response. We have considered these comments and agree with these commenters<br />
that this requirement requires further clarification. We note that part <strong>of</strong> this requirement<br />
as adopted in the Interim Final Rule (“detect … deletion <strong>of</strong> electronic health<br />
information”) is redundant with the standard we specify for audit logs which requires that<br />
deletions <strong>of</strong> electronic health information be recorded. For this reason, we have removed<br />
the reference to the detection <strong>of</strong> deleted electronic health information and have opted for<br />
a more c<strong>onc</strong>ise requirement that alterations to audit logs be detected. In response to<br />
public comment, we have chosen not to specify a standard for detecting alterations to<br />
audit logs at this time.<br />
Comment. One commenter requested clarification as to how message hashing<br />
should work when messages are part <strong>of</strong> a multi-part transmission process, e.g., through<br />
switches, clearinghouses, and other brokers.<br />
Response. We expect Certified EHR Technology to be capable <strong>of</strong> generating a<br />
hash <strong>of</strong> electronic health information and upon receipt <strong>of</strong> such information, verifying that<br />
5 http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_<strong>final</strong>.pdf<br />
6 http://csrc.nist.gov/publications/nistpubs/800-107/NIST-SP-800-107.pdf<br />
Page 113 <strong>of</strong> 228