The U.S. Department of Health & Human Services (HHS) Office of Inspector General (OIG) has released two reports that question HHS agencies' efforts to secure electronic protected health information.
An OIG audit cited the Office of the National Coordinator for Health IT (ONC) for its lackluster efforts in ensuring that patients' individually identifiable health information is secure and adequately protected for nationwide implementation of interoperable health IT. A second report criticized the Centers for Medicare & Medicaid Services (CMS) lax enforcement of the HIPAA security rule prior to June 2009.
The CMS report
To determine the sufficiency of CMS’s oversight and enforcement actions pertaining to hospitals’ implementation of the HIPAA Security Rule, OIG conducted audits at seven covered hospitals around the country and found that CMS’ oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the security rule, according to the report.
“As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic personal health information, thereby leaving electronic personal health information vulnerable to attack and compromise,” the reported stated.
“Specifically, our audits of seven hospitals throughout the nation identified 151 vulnerabilities in the systems and controls intended to protect electronic personal health information, of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity and availability of electronic personal health information at risk,” OIG continued. “Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospital's knowledge.”
OIG recommended that the Office for Civil Rights (OCR) continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that security rule controls are in place and operating as intended to protect electronic personal health information at covered entities.
The ONC report
The report on the ONC addressed security controls in health IT standards. OIG found that ONC had application IT security controls in the interoperability specifications, but there were no health IT standards that included general information IT security controls.
General information IT security controls include encrypting data stored on mobile devices, such as compact discs and thumb drives, requiring two-factor authentication when remotely accessing an health IT system and patching the operating systems of computer systems that process and store EHR, according to the report.
At the time of the audit, the ONC health IT standards were the interoperability specifications and included security features necessary for securely passing data between EHR systems, such as encrypting transmissions between EHR systems. However, these controls in the EHR systems were application security controls, not general IT security controls, the report read.
The OIG found the lack of these and other general IT security controls during prior audits at Medicare contractors, state Medicaid agencies and hospitals, according to the report. "The vulnerabilities that we noted, combined with our findings in this audit, raise concern about the effectiveness of IT security for health IT if general IT security controls are not addressed.”
OIG recommended that ONC:
- Broaden its focus from interoperability specifications to include well-developed general IT security controls for supporting systems, networks and infrastructures;
- Use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices;
- Emphasize to the medical community the importance of general IT security; and
- Coordinate its work with CMS and OCR to add general IT security controls where applicable.
More security welcomed
Responding to the ONC report, the American Health Information Management Association (AHIMA), a Chicago-based nonprofit health organization, stated that it welcomed OIG’s advice to the ONC to increase the security of meaningful use in the form of standards requirements associated with EHRs and health information exchanges (HIEs).
“Even though AHIMA believes the audit is not large enough to be reflective