As HMSA and the Abercrombie administration push forward with electronic medical records in Hawaii—a key requirement for any medical rationing system—the Obama Administration’s Department of Health and Human Services Office of Inspector General has today released two audits of electronic medical records security systems….
AP: HHS inspector general says push for electronic medical records overlooks some security gaps
The government is offering rewards and penalties to encourage hospitals and doctors’ offices to adopt electronic medical records. Incentive payments could total as much as $27 billion over 10 years. Providers who insist on clinging to paper records will eventually face cuts in Medicare payments.
The hospitals were located in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas. For security reasons, they were not identified. But the list of vulnerabilities read like a road map for hackers.
All of the hospitals had access control vulnerabilities, including inadequate passwords, computers that did not automatically log off inactive users, and unencrypted laptops that contained patient data.
Most of the hospitals had problems with wireless access, including inability to detect unauthorized intrusion, lack of continuous monitoring, and in some cases the absence of a firewall separating wireless from other internal networks.
Another common problem was that hospitals were slow to update their computer software to defeat known security bugs.
One case was decidedly low-tech: At one hospital, the lock on the back door of a room used to store radiology data was taped over. The report said that as the auditors were watching, they saw a maintenance worker walk in.
* * * * *
Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight
Our review found that the Centers for Medicare & Medicaid Services' (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Health Insurance Portability and Accountability Act of 1996 Security Rule. As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information (ePHI), thereby leaving ePHI vulnerable to attack and compromise. Both the Social Security Act and the Security Rule require a covered entity, defined as a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form, to (1) ensure the confidentiality, integrity, and availability of the information; (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information; and (3) protect against unauthorized uses or disclosures of the information.
Our audits of 7 hospitals throughout the Nation identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.
We recommended that the Department's Office for Civil Rights (OCR) continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. OCR did not comment on our specific findings and stated that it had considered our recommendations. OCR also noted that it maintains a process for initiating covered entity compliance reviews in the absence of complaints and that it had used this process to open compliance reviews as a result of our hospital audits. Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so.
Download the complete report(PDF)
* * * * *
Audit of Information Technology Security Included in Health Information Technology Standards
The Department's Office of the National Coordinator (ONC) provides leadership for the development and nationwide implementation of an interoperable health information technology (HIT) infrastructure. ONC is charged with guiding the nationwide implementation of interoperable HIT to reduce medical errors, improve quality, produce greater value for health care expenditures, ensure that patients' individually identifiable health information is secure and protected, and facilitate the widespread adoption of electronic health records (EHR).
Our review found that ONC had application information technology (IT) security controls in the interoperability specifications, but there were no HIT standards that included general information IT security controls. General IT security controls are the structure, policies, and procedures that apply to an entity's overall computer operations, ensure the proper operation of information systems, and create a secure environment for application systems and controls. At the time of our initial audit, the interoperability specifications were the ONC HIT standards and included security features necessary for securely passing data between EHR systems (e.g., encrypting transmissions between EHR systems). These controls in the EHR systems were application security controls, not general IT security controls.
We found a lack of general IT security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals. Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed.
We recommended that ONC (1) broaden its focus from interoperability specifications to also include well-developed general IT security controls for supporting systems, networks, and infrastructures; (2) use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices; (3) emphasize to the medical community the importance of general IT security; and (4) coordinate its work with the Centers for Medicare & Medicaid Services and the Department's Office for Civil Rights to add general IT security controls where applicable. ONC concurred with our recommendations.
Download the complete report(PDF)