HIT Security Must Be Improved, OIG says
An Office of Inspector General (OIG) audit, released May 16, reveals that basic protocols to secure patients’ electronic protected health information (ePHI) have been overlooked in the effort to facilitate widespread adoption of electronic health records (EHRs). In other words, EHRs are vulnerable to “hacking,” severely compromising patient privacy and inviting opportunities for identity theft and health care fraud.
The Office of the National Coordinator (ONC) is responsible to guide development of a nationwide, interoperable health information technology (HIT) infrastructure. The OIG audit found that ONC has adopted application information technology (IT) security controls to protect ePHI, but so far has not mandated general IT security controls. General IT security controls are “the structure, policies, and procedures that apply to an entity’s overall computer operation [to] ensure the proper operation of information systems, and [to] create a secure environment for application systems and controls.”
Stated another way, ONC requires that ePHI be transmitted securely between EHRs, but has failed to address security requirements for computer systems at hospitals and doctors offices, where health information would be created and stored. This is all the more worrisome because the OIG said it “found a lack of general IT security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals.”
Based on the results of the audit, the OIG recommends that ONC:
- Broaden its focus from interoperability specifications to also include well-developed general IT security controls for supporting systems, networks, and infrastructures
- Use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices
- Emphasize to the medical community the importance of general IT security
- Coordinate its work with the Centers for Medicare & Medicaid Services (CMS) and the Office for Civil Rights (OCR) to add general IT security controls where applicable
ONC concurred with the OIG’s recommendations, but has not yet responded with a plan to put those recommendations into action. Read the report for complete details.
OIG Finds Hospitals Also Complacent
In a related report released the same day, the OIG also revealed that an audit of seven hospitals throughout the United States uncovered 151 separate vulnerabilities in the systems and controls intended to protect ePHI, “of which 124 were categorized as high impact.”
“These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk,” the report explains. For example, “Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.”
The Social Security Act and the Security Rule require that any health plan, health care clearinghouse, or health care provider that transmits health information in electronic form must:
- ensure the confidentiality, integrity, and availability of the information;
- protect against any reasonably anticipated threats or risks to the security or integrity of the information; and
- protect against unauthorized uses or disclosures of the information.
The OIG report concludes that CMS’ oversight and enforcement actions have not been sufficient to ensure that covered entities are protecting patient’s information, “thereby leaving ePHI vulnerable to attack and compromise.” Based on this conclusion, the OIG recommends that OCR continue the compliance review process that CMS began in 2009, and “implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities.”
OCR did not comment on the OIG’s specific findings, and has yet to take action in response, but stated that it had considered the OIG’s recommendations.