OIG Audits Security Work of ONC, CMS
Two Office of the Inspector General audits of the Office of the National Coordinator for Health Information Technology and the Centers for Medicare and Medicaid Services report that the agencies are not doing enough to secure health information in the push toward EHR implementation.
“Our review found that CMS’s oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Health Insurance Portability and Accountability Act of 1996 Security Rule,” OIG wrote. “As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information, thereby leaving ePHI vulnerable to attack and compromise.”
The audits come in the midst of the federal push for more healthcare facilities to implement electronic health records through the meaningful use incentive program. Failing to address the security concerns of burgeoning electronic systems will expose a greater amount of health information to risk, OIG stated.
While ONC has instituted security controls for the transfer of healthcare information between EHR systems, OIG observed that general IT security controls needed for the secure storage of health information in facilities such as hospitals was missing.
“We found a lack of general IT security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals. Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed,” OIG wrote.
The CMS audit included the Office for Civil Rights, which was given charge of enforcing the HIPAA security rule in 2009. In the audit, OIG examined computer security at seven large hospitals across the US. The audit identified 151 vulnerabilities in the systems and controls intended to protect ePHI at the hospitals, of which 124 were categorized as high impact. OIG classifies high impact vulnerabilities as those that place the confidentiality, integrity, and availability of ePHI at risk.
Most of the security issues identified by the audit, such as unencrypted laptops, lax wireless access protections, or missing security policies and procedures, are considered common security safeguards that every healthcare organization should conduct.
The audit suggests ONC institute more security requirements in the stage 2 meaningful use program.
Other recommendations call for ONC to broaden its focus from interoperability specifications to also include well-developed general IT security controls for supporting systems, networks, and infrastructures; use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices; emphasize to the medical community the importance of general IT security; and coordinate its work with CMS and OCR to add general IT security controls where applicable.
ONC concurred with many of OIGs recommendations, and said it would explore implementing stronger security safeguards.
OCR stated the agency would take OIGs recommendations under consideration, but said in a written response that auditing only seven hospitals is not a large enough study to be reflective of the nation’s state of health information security. OCR regularly conducts audits of healthcare facilities that report a security breach affecting 500 people or more, the response said.