Asleep at the switch
Inspector general’s reports have harsh words for HHS’ security rule enforcement, but experts say not all the criticism is warranted
Federal officials and healthcare providers are torn between a push to adopt information technology as quickly and broadly as possible and the rival demands of securing their patients’ private electronic data.
HHS’ inspector general’s office last week issued twin reports slamming the department for patterns long recognized, though not necessarily condemned, among health IT professionals.
The CMS and subsequently HHS’ Office for Civil Rights have not aggressively enforced the security rule of the Health Insurance Portability and Accountability Act of 1996, the inspector general’s office concluded in one audit report. A second audit found that the Office of the National Coordinator for Health Information Technology has failed to promote security as a priority in its strategies and standards.
Dr. David Blumenthal, national coordinator for health IT from March 2009 until April 8, wrote in a formal response letter to the inspector general’s office that ONC’s “primary mission” is to promote health IT adoption while striking a balance between security and “not creating such an onerous burden of technical requirements that the primary adoption goal would fail to be achieved.” By 2015, Blumen- thal said, the ONC and the CMS expect to have “a strong security framework.”
Security experts agreed with many of the inspector general’s sharp assessments, but took issue with others. Not everyone believes Blumenthal is wrong about the balance. And some credit the Office for Civil Rights with applying more vigor to HIPAA security enforcement since inheriting the role from the CMS in 2009 while retaining an approach that’s more constructive than punitive.
The inspector general’s office used the results of its own random security compliance audits between August 2009 and March 2010 as evidence of a serious need for tougher security enforcement by the civil rights office and recommended that the office do its own random compliance audits.
The auditors identified 151 “vulnerabilities in the systems and controls” of seven unnamed hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York and Texas. The report described 124 of the weaknesses as “high impact.”
They included ineffective encryption and lack of firewalls on wireless networks, computers that did not automatically log off users after periods of inactivity, and computers and servers with security and antivirus updates left uninstalled. Some of the hospitals were found to have shared administrator accounts or user IDs and passwords that had not been changed from defaults, as well as user accounts with inappropriate access to patient information.
The reports shocked no one among the industry’s security experts. “This isn’t a surprise, or shouldn’t be a surprise, to anyone,” said Michael “Mac” McMillan, the CEO and cofounder of Austin, Texas-based healthcare information security firm CynergisTek. McMillan also serves as chairman of the Privacy and Security Steering Committee of the Healthcare Information and Management Systems Society, the health IT industry’s largest trade group.
The government’s weak record on electronic security enforcement, according to McMillan, is reflected in the industry’s lack of investment in data security. For three years, HIMSS has conducted annual surveys of healthcare security professionals. Its most recent report, released in November, indicated IT security remains a ghostly blip on the industry’s radar screen. The most recent survey found that almost half (46%) of organizations spent 3% or less of their IT bud-
Most privacy breaches reported to HHS involve the theft or loss of hardware, often laptop computers or other portable devices (See chart, p. 7.)