Pritts said the government is in large part already heading in the same direction in which the inspector general was pointing, "but these things take time."
One criticism in the inspector general's report was that ONC should better use its powers to improve what it called general security controls. The inspector general specifically mentioned ONC should push for standards for two-factor identification—security measures for participants in electronic health information exchange.
The watchdog agency's report also recommended that the ONC use its standards-setting authority under the federal electronic health-record incentive payment program to require encryption of data transferred to portable devices. And it called on the ONC to better use its bully pulpit to encourage and educate providers and other handlers of patient information to be more security-conscious.
Pritts said work groups and committees created under the American Recovery and Reinvestment Act of 2009 already are working on recommendations for two-factor authentication. The committee process helps the ONC get things right and promotes buy-in for regulations, Pritts said. Without the committee work, "people would not have been satisfied."
The publication by HHS' Office for Civil Rights of a list of organizations that have experienced breaches of 500 or more records has given the ONC data to analyze on 278 incidents thus far, which has "helped us identify the issues where we should devote our efforts to educating people," Pritts said.
The ONC also has provided "a number of security tools" to federal grantees developing health information exchanges and health IT extension programs, she said. A training video on data security for rank-and-file providers has been developed and is undergoing final review, she said.
Follow Joseph Conn on Twitter: @MHJConn.