Tuesday, December 24, 2024
Hawai'i Free Press

Current Articles | Archives

Thursday, May 19, 2011
Your Private Information Public? HHS Audit finds massive Security Gaps in Electronic Medical Records
By Selected News Articles @ 11:32 AM :: 9735 Views :: Energy, Environment, National News, Ethics

As HMSA and the Abercrombie administration push forward with electronic medical records in Hawaii—a key requirement for any medical rationing system—the Obama Administration’s Department of Health and Human Services Office of Inspector General has today released two audits of electronic medical records security systems…. 

AP: HHS inspector general says push for electronic medical records overlooks some security gaps

The government is offering rewards and penalties to encourage hospitals and doctors’ offices to adopt electronic medical records. Incentive payments could total as much as $27 billion over 10 years. Providers who insist on clinging to paper records will eventually face cuts in Medicare payments.

The hospitals were located in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas. For security reasons, they were not identified. But the list of vulnerabilities read like a road map for hackers.

All of the hospitals had access control vulnerabilities, including inadequate passwords, computers that did not automatically log off inactive users, and unencrypted laptops that contained patient data.

Most of the hospitals had problems with wireless access, including inability to detect unauthorized intrusion, lack of continuous monitoring, and in some cases the absence of a firewall separating wireless from other internal networks.

Another common problem was that hospitals were slow to update their computer software to defeat known security bugs.

One case was decidedly low-tech: At one hospital, the lock on the back door of a room used to store radiology data was taped over. The report said that as the auditors were watching, they saw a maintenance worker walk in.

read more

  *   *   *   *   *

05-16-2011

Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight

Executive Summary

Our review found that the Centers for Medicare & Medicaid Services' (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Health Insurance Portability and Accountability Act of 1996 Security Rule. As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information (ePHI), thereby leaving ePHI vulnerable to attack and compromise. Both the Social Security Act and the Security Rule require a covered entity, defined as a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form, to (1) ensure the confidentiality, integrity, and availability of the information; (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information; and (3) protect against unauthorized uses or disclosures of the information.

Our audits of 7 hospitals throughout the Nation identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.

We recommended that the Department's Office for Civil Rights (OCR) continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. OCR did not comment on our specific findings and stated that it had considered our recommendations. OCR also noted that it maintains a process for initiating covered entity compliance reviews in the absence of complaints and that it had used this process to open compliance reviews as a result of our hospital audits. Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so.

Complete Report

Notification Download the complete report(PDF)

  *   *   *   *   *

05-16-2011

Audit of Information Technology Security Included in Health Information Technology Standards

Executive Summary

The Department's Office of the National Coordinator (ONC) provides leadership for the development and nationwide implementation of an interoperable health information technology (HIT) infrastructure. ONC is charged with guiding the nationwide implementation of interoperable HIT to reduce medical errors, improve quality, produce greater value for health care expenditures, ensure that patients' individually identifiable health information is secure and protected, and facilitate the widespread adoption of electronic health records (EHR).

Our review found that ONC had application information technology (IT) security controls in the interoperability specifications, but there were no HIT standards that included general information IT security controls. General IT security controls are the structure, policies, and procedures that apply to an entity's overall computer operations, ensure the proper operation of information systems, and create a secure environment for application systems and controls. At the time of our initial audit, the interoperability specifications were the ONC HIT standards and included security features necessary for securely passing data between EHR systems (e.g., encrypting transmissions between EHR systems). These controls in the EHR systems were application security controls, not general IT security controls.

We found a lack of general IT security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals. Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed.

We recommended that ONC (1) broaden its focus from interoperability specifications to also include well-developed general IT security controls for supporting systems, networks, and infrastructures; (2) use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices; (3) emphasize to the medical community the importance of general IT security; and (4) coordinate its work with the Centers for Medicare & Medicaid Services and the Department's Office for Civil Rights to add general IT security controls where applicable. ONC concurred with our recommendations.

read more

Notification Download the complete report(PDF)

 

Links

TEXT "follow HawaiiFreePress" to 40404

Register to Vote

2aHawaii

Aloha Pregnancy Care Center

AntiPlanner

Antonio Gramsci Reading List

A Place for Women in Waipio

Ballotpedia Hawaii

Broken Trust

Build More Hawaiian Homes Working Group

Christian Homeschoolers of Hawaii

Cliff Slater's Second Opinion

DVids Hawaii

FIRE

Fix Oahu!

Frontline: The Fixers

Genetic Literacy Project

Grassroot Institute

Habele.org

Hawaii Aquarium Fish Report

Hawaii Aviation Preservation Society

Hawaii Catholic TV

Hawaii Christian Coalition

Hawaii Cigar Association

Hawaii ConCon Info

Hawaii Debt Clock

Hawaii Defense Foundation

Hawaii Family Forum

Hawaii Farmers and Ranchers United

Hawaii Farmer's Daughter

Hawaii Federation of Republican Women

Hawaii History Blog

Hawaii Jihadi Trial

Hawaii Legal News

Hawaii Legal Short-Term Rental Alliance

Hawaii Matters

Hawaii Military History

Hawaii's Partnership for Appropriate & Compassionate Care

Hawaii Public Charter School Network

Hawaii Rifle Association

Hawaii Shippers Council

Hawaii Together

HiFiCo

Hiram Fong Papers

Homeschool Legal Defense Hawaii

Honolulu Navy League

Honolulu Traffic

House Minority Blog

Imua TMT

Inouye-Kwock, NYT 1992

Inside the Nature Conservancy

Inverse Condemnation

July 4 in Hawaii

Land and Power in Hawaii

Lessons in Firearm Education

Lingle Years

Managed Care Matters -- Hawaii

MentalIllnessPolicy.org

Missile Defense Advocacy

MIS Veterans Hawaii

NAMI Hawaii

Natatorium.org

National Parents Org Hawaii

NFIB Hawaii News

NRA-ILA Hawaii

Obookiah

OHA Lies

Opt Out Today

Patients Rights Council Hawaii

Practical Policy Institute of Hawaii

Pritchett Cartoons

Pro-GMO Hawaii

RailRipoff.com

Rental by Owner Awareness Assn

Research Institute for Hawaii USA

Rick Hamada Show

RJ Rummel

School Choice in Hawaii

SenatorFong.com

Talking Tax

Tax Foundation of Hawaii

The Real Hanabusa

Time Out Honolulu

Trustee Akina KWO Columns

Waagey.org

West Maui Taxpayers Association

What Natalie Thinks

Whole Life Hawaii