Watchdog Hits HHS on Records SecurityInspector General: Electronic Health Record Protections Inadequate
The reports, which focus primarily on carrying out the HIPAA Security Rule, point out shortcomings in the efforts of two HHS units: The Office for Civil Rights, which enforces the HIPAA security and privacy rules, and the Office of the National Coordinator for Health Information Technology, which oversees the HITECH Act electronic health record incentive program.
A report on HIPAA oversight calls on OCR to ramp up its compliance review efforts to ensure adequate security controls are in place at hospitals.
A second report on the standards for the EHR incentive program concludes that the criteria for EHR software for stage one of the Medicare and Medicaid incentive program did not adequately address a number of security issues.
HIPAA Enforcement CritiqueTo help determine the effectiveness of OCR's enforcement efforts, the inspector general conducted audits of seven hospitals. "Although each of the seven hospitals had implemented some controls, policies and procedures to protect ePHI [electronic protected health information] from improper alteration or destruction, none had sufficiently implemented the administrative, technical and physical safeguard provisions of the Security Rule," the report states.
The audits, the report says, identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. "These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk," according to the report. "Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge."
The report offers numerous examples of serious security issues at the hospitals that were audited. For example, one hospital's data center "had large open shelves and an unsecured indoor window located between an external hallway and the data center's main entrance. In addition, the radiology data backup room's back door lock had been taped over. Unauthorized personnel could have gained access to the data center by climbing through the open shelves or the unlocked window."
The report also notes that five of the seven hospitals had wireless vulnerabilities, including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks and no authentication required to enter the wireless network, among others.
As a result, the report urges OCR to "implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities."
In its reply to the report, OCR states that it maintains a process for initiating compliance reviews in absence of complaints, but it offers no evidence of any such reviews, other than those related to the seven audits conducted by the inspector general. OCR notes, however, that it conducts compliance reviews when health information breaches affecting 500 or more individuals are reported.
OCR Director Georgina Verdugo also states in her reply: "We caution against drawing conclusions about the state of compliance of all covered entities based on the small sample of narrowly focused audits performed ..."
The HHS Centers for Medicare and Medicaid Services, which had been enforcing the HIPAA Security rule, delegated that task to OCR in July 2009.
A HITECH-mandated HIPAA compliance audit program is long overdue. Last week, Susan McAndrew, deputy director for health information privacy at OCR, said the agency was getting ready to hire a contractor to test one model for the audits, but she did not specify when the program will begin. (See: Breach Rule Enforcer Offers Advice).
And OCR recently requested a 13.5 percent increase in its fiscal 2012 budget for, among other things, enforcement of the HIPAA Security Rule and compliance reviews of smaller breach incidents. (See: More HIPAA Enforcement Funding Sought).
EHR Security Criteria LackingIn its report addressing the HITECH Act EHR incentive program, the inspector general says the rule establishing EHR software criteria for the program discusses security in terms of application controls, but does not contain general IT security controls. It defines these missing controls as "the structure, policies and procedures that apply to an entity's overall computer operations, ensure the proper operation of information systems and create a secure environment for application systems and controls."
General IT security controls are needed to ensure a secure environment for health data, according to the report, which offers three examples of the controls that should be addressed:
- Encrypting data stored on mobile devices, such as compact disks and thumb drives;
- Requiring two-factor authentication when remotely accessing a health IT system; and
- Patching the operating systems of computer systems that process and store EHRs.
The report recommends that ONC:
- Broaden its focus from interoperability specifications to include well-developed general IT security controls for supporting systems, networks and infrastructures;
- Use its leadership role to provide guidance to the healthcare industry on established general IT security standards and IT industry security best practices;
- Emphasize to the medical community the importance of general IT security; and
- Coordinate its work with CMS and OCR to add general IT security controls where applicable.
Striking a Balance?In a response to the report, David Blumenthal M.D., who recently stepped down as head of ONC, noted: "In the early stages of [EHR] adoption efforts under HITECH, ONC has worked to strike the right balance between ensuring the security of health information among new adopters while not creating such an onerous burden of technical requirements that the primary adoption goal would fail to be achieved. By the end of the HITECH-related wave of health IT implementations in 2015, ONC expects to have a well-developed set of certification criteria that, coupled with practices initiated under the CMS [EHR] meaningful use rule, will form a strong security framework for the use and exchange of electronic health information."
Policy and standards committees advising ONC are drafting criteria for future stages of the EHR incentive program. Among other things, they're considering recommendations from a Privacy and Security Tiger team on authentication and other issues.