[BreachExchange] GAO criticizes HHS over security of patient health records

[Audrey McNeil]

http://www.newstarget.com/2016-09-29-gao-criticizes-hhs-
over-security-of-patient-health-records.html

A Government Accountability Office (GAO) report released Monday said the
Department of Health and Human Services’ (HHS) oversight of health care
privacy laws “may not be as effective as it could be,” and could expose
health care records to more serious cyber attacks.

A team of GAO investigators, lead by information security issues director
Gregory Wilshusen, said the growing use of electronic health care records
provides a number of benefits to patients, including reducing costs and
lessening the likelihood of medical errors during treatment.

However, hackers and data thieves are increasingly targeting these
electronic records because of their rising value on the black market.

“Criminals are aware that obtaining complete health records are often more
useful than isolated financial information, such as credit information,”
the GAO said.

The GAO report said the health information of more than 113 million
individuals was compromised in 2015, including a massive data breach of the
Anthem computer system, in which 79 million patient accounts were hacked.

The HHS is responsible for creating security guidelines for all health care
providers covered by the 1996 Health Insurance Portability and
Accountability Act (HIPAA) to ensure they keep patient data safe, and
observe federal privacy rules.

But GAO investigators said those guidelines don’t do nearly enough to
address the rapidly changing types, and increasing numbers, of security
threats.

The report said HHS guidance does not give health care providers the
specific guidance they need to develop “key security controls” that protect
patient data from theft.

GAO investigators also said health care providers have struggled to comply
with the security controls and privacy requirements the HHS has established.

“Without more comprehensive guidance,” the GAO said, health care providers
“may not be adequately protecting electronic health information from
compromise.”

The GAO said the HHS’s oversight effort to ensure providers comply with
federal rules and regulations “did not always fully verify that the
regulations were implemented.”

The report faulted the HHS’s Office of Civil Rights, which investigates
security issues and possible privacy violations, for providing “technical
assistance that was not pertinent to identified problems.”

Investigators said that in other instances, the Office of Civil Rights “did
not always follow up to ensure that agreed-upon corrective actions were
taken once investigative cases were closed.”

The GAO also said the Office of Civil Rights has no way of measuring
whether its audit and investigation programs have been successful.

“These weaknesses result in less assurance that loss or misuse of health
information is being adequately addressed,” the GAO said.

Wilshusen’s investigative team recommended that the HHS “update its
guidance for protecting electronic health information to address key
security elements,” and “improve technical assistance it provides to
covered entities.”

The HHS assistant secretary for legislation, Jim Esquea, generally agreed
with the recommendations, but said adopting some of them will depend on
available resources within the Department.

Esquea also said the Office of Civil Rights (OCR) is “sensitive to the
burdens [its investigations put] on HIPAA covered entities and business
associates.”

Because of this, Esquea said, the OCR must “consider how best to implement”
the GAO’s recommendations for follow-ups after a security or privacy
investigation “without creating unwarranted burdens on such entities once
an investigation is closed.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160929/14d0372b/attachment.html>