In a recently released government report, the Office of the Inspector General (OIG), for the Department of Health and Human Services (HHS) found that the group (ONC) within HHS responsible for the infrastructure of the electronic healthcare records systems, failed to implement general IT security controls.
The report entitled “Audit of Information Technology Security Included in Health Information Technology Standards (A-18-09-30160),” states general IT security controls emphasized by the Office of Management and Budget and the National Institute of Standards and Technology but not addressed by ONC are:
• encrypting data stored on mobile devices, such as compact disks and thumb drives;
• requiring two-factor authentication when remotely accessing an HIT system; and
• patching the operating systems of computer systems that process and store EHR
“We found the lack of these and other general IT security controls during prior Office of Inspector General audits at Medicare contractors, State Medicaid agencies, and hospitals. The vulnerabilities that we noted, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT (health information technology) if general IT security controls are not addressed.”
This is a little disconcerting given the push towards full electronic disposition of personal healthcare records. ONC (Office of the National Coordinator for Health Information Technology) did respond to the audit report by stating “it relies on the HIPAA Security Rule to ensure that appropriate IT security controls are in place.”
However, the OIG wasn’t convinced as their “concern with the effectiveness of the HIPAA Security Rule is based on work that we did on CMS’s oversight of covered entity compliance with HIPAA and the significant weaknesses we found in IT security at eight hospitals.” Examples of the weaknesses identified at the eight hospitals included:
• unprotected wireless networks,
• lack of vendor support for OSs,
• inadequate system patching,
• outdated or missing antivirus software,
• lack of encryption of data on portable devices and media,
• lack of system event logging or review,
• shared user accounts, and
• excessive user access and administrative rights.
And therefore the OIG states their “experience with HIPAA implementation in hospitals does not support ONC’s position that HIPAA provides adequate general IT security.”
In the end the OIG recommended that ONC:
• broaden its focus from interoperability specifications to include well-developed general IT security controls for supporting systems, networks, and infrastructures;
• use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices;
• emphasize to the medical community the importance of general IT security; and
• coordinate its work with CMS and OCR to add general IT security controls where applicable.
There is hope at the end of the tunnel.