A screen capture of the healthcare.gov website March 24, 2016.
A screen capture of the healthcare.gov website March 24, 2016. | Healthcare.gov / Jacob Bielanski

GAO: Healthcare.gov systems experienced 316 “incidents” since 2013

A report from the Government Accountability Office (GAO) calls for changes to security policy for the Healthcare.gov website, after 316 “security incidents” were documented between October 2013 and March 2015.  

The report, released Wednesday, was immediately followed by a letter from the chairs of eight Senate committees (all Republican), requesting the Department of Health and Human Services (HHS) and Centers for Medicare and Medicaid Services (CMS) to release detailed information on the impact of the incidents, which included 41 involving "personally identifiable information."

"Today's GAO report also reveals that the Department of Health and Human Services does not have complete records of how many people these incidents impacted, despite a 2013 GAO recommendation that the department keep such documentation," the letter reads.

Niam Yaraghi, a fellow with the Brookings Institution’s Center for Technology Innovation told AMI Newswire that his own research on the topic is leading to similar findings as the GAO. He noted that while the findings speak to a problem with security in the health care site, the incidents outlined in the report do not seem to be overly concerning.

“Neither the number of the breaches, nor their magnitude, is as bad as it looks,” Yaraghi said. “So, sleep easy at night, but still, at the same time, healthcare is still … vulnerable to healthcare breaches.”

Yaraghi notes that analyses of security breaches are designed to assume the worst, with many resulting from lost equipment. He used the example of a doctor transferring one patient’s file to a thumb drive and subsequently losing the thumb drive. If that doctor can’t remember who that one patient was, he has to assume all of his patient files are at risk.

The GAO report found that none of the 41 incidents involving personal information were the result of outside attacks, but rather from information being exposed to unauthorized users. The only breach listed as having a “significant/large” impact, according to the GAO report, occurred when an email was sent to a group of staff at CMS which included an unencrypted list of account IDs and passwords. CMS told the GAO that, following the incident, it changed those passwords and advised all other employees to update their passwords.

In spite of this, Yaraghi said the report highlights a need for the Health Insurance Portability and Accountability Act (HIPAA) to be updated to reflect “pace with how technology has advanced.”

He notes, for example, that the law does not address mobile technologies. Unlike similar bank legislation, such as the Sarbanes-Oxley Act (SOX) of 2002, the provisions for health care websites are less descriptive, leaving organizations to interpret what it means to be in compliance with the law, instead of best security practices.

“I think … they tend to be non-descriptive, because they wanted the law to apply to a wide variety of organizations with different sizes and characteristics,” Yaraghi said. “However, the downside is that organizations never know if they’re complying with HIPAA.”

Yaraghi contrasts health care security with banking security, noting that financial institutions must undergo annual audits of their security systems to meet specific guidelines. The Office for Civil Rights (OCR), which works with health care organizations following security breaches under the Affordable Care Act (ACA), currently performs random audits each year, but those amount to "very little" he said. He warns that without mandatory audits, or a rigorous certification process, the government is doing little to stop an initial breach.

As part of its recommendations in the report, the GAO has called on HHS to define “day-to-day” procedures for overseeing state-based marketplaces, as well as reviewing annual reports from the marketplaces. In its response, HHS has agreed with the GAO’s recommendations.

“HHS acknowledges that risks exist inherently for every IT system and that as technologies progress, additional safeguards will be needed,” HHS staff wrote in a response to the draft GAO report.

Lacking any clearly-defined punitive measures, Yaraghi said, most for-profit health care institutions often fail to prioritize security over their core mission to provide patient care. He notes that decision makers need to have clearly defined requirements and punishments in order to make cost-benefit analyses that include security.

Though it may decline rates of digitization and, to a lesser extent, enrollment, Yaraghi said more rules and requirements have to be put into place before online records and enrollment systems should be cleared by HHS.

He said that part of the problem stems from a time when policy makers “were so psyched about digitizing” health care that they initially did not consider security.

“We provided everybody with a Ferrari and didn’t see if they had a driver’s license to drive it,” he said. “Before I start my car, I should fasten my seat belt. That causes me to start my car a couple of seconds later; however, it saves my life if I get into an accident.”

Senators and congresspersons, led by Sen. Lamar Alexander (R-Tennessee), have called on HHS secretary Sylvia Burwell and CMS acting administrator Andy Slavitt to respond to their letter by April 6.

The report, requested by both Democrats and Republicans within the House and Senate, comes on the sixth anniversary of the Affordable Care Act’s signing into law by President Obama.

Yaraghi’s report is due for publication April 30.