Audits of the federal agencies charged with implementing and monitoring security measures for healthcare information technology identified this week lax oversight and insufficient standards for healthcare providers.
The audits were conducted by the Department of Health and Human Services' Office of Inspector General, and targeted HIT security standards, privacy protection under HIPAA, and other security measures at the Centers for Medicare & Medicaid Services, and the Office of the National Coordinator. "These two reports are being issued simultaneously because OIG found weaknesses in the two HHS agencies entrusted with keeping sensitive patient records private and secure," OIG said in a media release.
The CMS audit, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight, examined seven hospitals across the country and found 151 "vulnerabilities" in systems and controls that are designed to safeguard electronic protected health information.
Those lapses included 124 "high impact vulnerabilities" such as unencrypted laptops and portable drives containing sensitive personal health information, outdated antivirus software and patches, unsecured networks, and the failure to detect rogue devices intruding on wireless networks, the OIG audit said.
"These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge," the OIG audit said. "As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information, thereby leaving ePHI vulnerable to attack and compromise."
OIG called on HHS' Office of Civil Rights to continue a compliance review that began in 2009 to ensure that controls are in place to protect ePHI at covered entities.
OIG's Audit of Information Technology Security Included in Health Information Technology Standards examined ONC's mandate under the HITECH Act to develop HIT security as part of a national HIT interoperability infrastructure. The audit found "no HIT standards that included general information IT security controls … which provide the structure, policies, and procedures that apply to a healthcare provider's overall computer operations, ensure the proper operation of information systems, and create a secure environment for application systems and controls."
OIG said the findings on ONC, when combined with vulnerabilities found in earlier audits of hospitals, Medicare contractors, and state Medicaid agencies, "raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed."
ONC concurred with the audits recommendations that it:
- Broaden its focus from interoperability specifications to also include well-developed general IT security controls for supporting systems, networks, and infrastructures;
- Provide guidance to the health industry on established general IT security standards and IT industry security best practices;
- Emphasize to the medical community the importance of general IT security;
- Coordinate with CMS and HHS' Office for Civil Rights to add general IT security controls where applicable.
The complete ONC report may be viewed here.
Pages
John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.