Security Gaps May Threaten Electronic Health Records
Two reviews raise significant concerns about the security of electronic patient health information - "Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight" ("Nationwide Rollup") and "Audit of Information Technology Security Included in Health Information Technology Standards" ("HIT Standards"). These two reports are being issued simultaneously because OIG found weaknesses in the two HHS agencies entrusted with keeping sensitive patient records private and secure.
"Nationwide Rollup" presents consolidated findings from prior nonpublic audits of seven hospitals. We found numerous, significant general IT security control vulnerabilities in the hospitals we audited, leaving patient health information at risk. "HIT Standards" discusses the lack of general IT security controls in the Health Information Technology (HIT) standards promulgated by the Office of the National Coordinator (ONC) within HHS.
ONC was directed by the Health Information Technology for Economic and Clinical Health (HITECH) Act to develop a nationwide implementation of an interoperable HIT infrastructure including security for HIT systems.
The report found, however, that the ONC specifications focused on IT security application controls for communication between Electronic Health Record systems, but did not include basic, general IT security controls.
Based on HITECH, ONC relies on the Security Rule in the Health Insurance Portability and Accountability Act (HIPAA) to ensure that appropriate general IT security controls are in place at provides such as hospitals and doctor offices. The Security Rule had been administered by the Centers for Medicare & Medicaid Services (CMS). Subsequent to our audits, responsibility for implementing the rule now rests with the HHS Office for Civil Rights.
OIG found security vulnerabilities resulting from the implementation of the Security Rule by CMS.
In our audits of seven large hospitals OIG identified 151 vulnerabilities in the systems and controls intended to protect sensitive health information -- of which 124 were categorized as high impact.
High impact vulnerabilities include unencrypted laptops and portable drives containing sensitive personal health information, outdated antivirus software and patches, unsecured networks, and the failure to detect rogue devices intruding on wireless networks. These vulnerabilities placed the confidentiality, integrity, and availability of sensitive health information at risk. Outsiders or employees at some hospitals could have accessed, and at one of the seven hospitals did access, systems and beneficiaries' personal data.
Individual report summaries: