The HHS' Office of Inspector General (OIG) has listed several new and revised security measures in its new 2016 work plan for better management of electronic health records and devices.

The plan, published last week, includes new controls of networked medical devices for hospitals and oversight of the security of EHRs as well as revised controls to ensure the security of Medicaid systems and revised state-based marketplaces information system security controls.

Here's a look at four key areas.

1. For controls over networked medical devices at hospitals, OIG will examine whether FDA's oversight of these devices is sufficient to effectively protect associated electronic protected health information (ePHI) and ensure patients' safety. "Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with EMRs and the larger health network, pose a growing threat to the security and privacy of personal health information," the report said.

2. The OIG will also take new measures to determine the adequacy of the Office for Civil Rights (OCR) oversight over the security of electronic protected health information (ePHI). "Prior OIG audits reported that OCR had not assessed the risks, established priorities, or implemented controls for its HITECH Act requirement to provide for periodic audits of covered entities and business associates to ensure compliance with HITECH Act and HIPAA Rule requirements and, therefore, had limited assurance that covered entities and business associates adequately protected ePHI," the report said. Previous OIG audits showed numerous vulnerabilities in the systems and controls to protect ePHI.

3. Revised measures in the plan will include Center for Medicare and Medicaid Services (CMS) oversight of states' Medicaid information systems security controls. "The OIG will determine the adequacy of CMS's oversight of states' Medicaid system and information security controls, including the policies, technical assistance, and security and operational guidance provided to the States," the report said. For some states, OIG will use automated assessment tools to assess controls for their information system networks, databases, Web-facing applications, logical access, and wireless access. Previous OIG audits found that states lack sufficient security features, potentially exposing Medicaid beneficiary health information to unauthorized access.

4. Also revised will be state-based marketplaces information system security controls. The OIG will determine whether information security controls for state-based marketplaces have been implemented in accordance with federal requirements and recognized industry best practices. OIG said it plans "to conduct vulnerability scans of Web-based systems using automated tools that seek to identify known security vulnerabilities and discover possible methods of attack that can lead to unauthorized access or the exfiltration of data."