Asleep at the switch

In­spec­tor gen­eral’s re­ports have harsh words for HHS’ se­cu­rity rule en­force­ment, but ex­perts say not all the crit­i­cism is war­ranted

Modern Healthcare - - Cover Story -

Fed­eral of­fi­cials and health­care providers are torn be­tween a push to adopt in­for­ma­tion tech­nol­ogy as quickly and broadly as pos­si­ble and the ri­val de­mands of se­cur­ing their pa­tients’ pri­vate elec­tronic data.

HHS’ in­spec­tor gen­eral’s of­fice last week is­sued twin re­ports slam­ming the depart­ment for pat­terns long rec­og­nized, though not nec­es­sar­ily con­demned, among health IT pro­fes­sion­als.

The CMS and sub­se­quently HHS’ Of­fice for Civil Rights have not ag­gres­sively en­forced the se­cu­rity rule of the Health In­surance Porta­bil­ity and Accountability Act of 1996, the in­spec­tor gen­eral’s of­fice con­cluded in one au­dit re­port. A sec­ond au­dit found that the Of­fice of the Na­tional Co­or­di­na­tor for Health In­for­ma­tion Tech­nol­ogy has failed to pro­mote se­cu­rity as a pri­or­ity in its strate­gies and stan­dards.

Dr. David Blu­men­thal, na­tional co­or­di­na­tor for health IT from March 2009 un­til April 8, wrote in a for­mal re­sponse letter to the in­spec­tor gen­eral’s of­fice that ONC’s “pri­mary mis­sion” is to pro­mote health IT adop­tion while strik­ing a bal­ance be­tween se­cu­rity and “not cre­at­ing such an oner­ous bur­den of tech­ni­cal re­quire­ments that the pri­mary adop­tion goal would fail to be achieved.” By 2015, Blu­men- thal said, the ONC and the CMS ex­pect to have “a strong se­cu­rity frame­work.”

Se­cu­rity ex­perts agreed with many of the in­spec­tor gen­eral’s sharp as­sess­ments, but took is­sue with oth­ers. Not ev­ery­one be­lieves Blu­men­thal is wrong about the bal­ance. And some credit the Of­fice for Civil Rights with ap­ply­ing more vigor to HIPAA se­cu­rity en­force­ment since in­her­it­ing the role from the CMS in 2009 while re­tain­ing an ap­proach that’s more con­struc­tive than puni­tive.

The in­spec­tor gen­eral’s of­fice used the re­sults of its own ran­dom se­cu­rity com­pli­ance au­dits be­tween Au­gust 2009 and March 2010 as ev­i­dence of a se­ri­ous need for tougher se­cu­rity en­force­ment by the civil rights of­fice and rec­om­mended that the of­fice do its own ran­dom com­pli­ance au­dits.

The au­di­tors iden­ti­fied 151 “vul­ner­a­bil­i­ties in the sys­tems and con­trols” of seven un­named hos­pi­tals in Cal­i­for­nia, Ge­or­gia, Illi­nois, Mas­sachusetts, Mis­souri, New York and Texas. The re­port de­scribed 124 of the weak­nesses as “high im­pact.”

They in­cluded in­ef­fec­tive en­cryp­tion and lack of fire­walls on wire­less net­works, com­put­ers that did not au­to­mat­i­cally log off users af­ter pe­ri­ods of in­ac­tiv­ity, and com­put­ers and servers with se­cu­rity and an­tivirus up­dates left unin­stalled. Some of the hos­pi­tals were found to have shared ad­min­is­tra­tor ac­counts or user IDs and pass­words that had not been changed from de­faults, as well as user ac­counts with in­ap­pro­pri­ate ac­cess to pa­tient in­for­ma­tion.

The re­ports shocked no one among the in­dus­try’s se­cu­rity ex­perts. “This isn’t a sur­prise, or shouldn’t be a sur­prise, to any­one,” said Michael “Mac” McMil­lan, the CEO and co­founder of Austin, Texas-based health­care in­for­ma­tion se­cu­rity firm Cyn­er­gisTek. McMil­lan also serves as chair­man of the Pri­vacy and Se­cu­rity Steer­ing Com­mit­tee of the Health­care In­for­ma­tion and Man­age­ment Sys­tems So­ci­ety, the health IT in­dus­try’s largest trade group.

The gov­ern­ment’s weak record on elec­tronic se­cu­rity en­force­ment, ac­cord­ing to McMil­lan, is re­flected in the in­dus­try’s lack of in­vest­ment in data se­cu­rity. For three years, HIMSS has con­ducted an­nual sur­veys of health­care se­cu­rity pro­fes­sion­als. Its most re­cent re­port, re­leased in Novem­ber, in­di­cated IT se­cu­rity re­mains a ghostly blip on the in­dus­try’s radar screen. The most re­cent sur­vey found that al­most half (46%) of or­ga­ni­za­tions spent 3% or less of their IT bud-

Most pri­vacy breaches re­ported to HHS in­volve the theft or loss of hard­ware, of­ten lap­top com­put­ers or other por­ta­ble de­vices (See chart, p. 7.)

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.