GAO criticizes HHS over security of patient health records
A team of GAO investigators, lead by information security issues director Gregory Wilshusen, said the growing use of electronic health care records provides a number of benefits to patients, including reducing costs and lessening the likelihood of medical errors during treatment.
However, hackers and data thieves are increasingly targeting these electronic records because of their rising value on the black market.
“Criminals are aware that obtaining complete health records are often more useful than isolated financial information, such as credit information,” the GAO said.
The GAO report said the health information of more than 113 million individuals was compromised in 2015, including a massive data breach of the Anthem computer system, in which 79 million patient accounts were hacked.
The HHS is responsible for creating security guidelines for all health care providers covered by the 1996 Health Insurance Portability and Accountability Act (HIPAA) to ensure they keep patient data safe, and observe federal privacy rules.
But GAO investigators said those guidelines don't do nearly enough to address the rapidly changing types, and increasing numbers, of security threats.
The report said HHS guidance does not give health care providers the specific guidance they need to develop "key security controls” that protect patient data from theft.
GAO investigators also said health care providers have struggled to comply with the security controls and privacy requirements the HHS has established.
"Without more comprehensive guidance,” the GAO said, health care providers "may not be adequately protecting electronic health information from compromise.”
The GAO said the HHS’s oversight effort to ensure providers comply with federal rules and regulations "did not always fully verify that the regulations were implemented.”
The report faulted the HHS's Office of Civil Rights, which investigates security issues and possible privacy violations, for providing "technical assistance that was not pertinent to identified problems."
Investigators said that in other instances, the Office of Civil Rights "did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed.”
The GAO also said the Office of Civil Rights has no way of measuring whether its audit and investigation programs have been successful.
"These weaknesses result in less assurance that loss or misuse of health information is being adequately addressed,” the GAO said.
Wilshusen’s investigative team recommended that the HHS "update its guidance for protecting electronic health information to address key security elements,” and "improve technical assistance it provides to covered entities.”
The HHS assistant secretary for legislation, Jim Esquea, generally agreed with the recommendations, but said adopting some of them will depend on available resources within the Department.
Esquea also said the Office of Civil Rights (OCR) is “sensitive to the burdens [its investigations put] on HIPAA covered entities and business associates.”
Because of this, Esquea said, the OCR must “consider how best to implement” the GAO’s recommendations for follow-ups after a security or privacy investigation “without creating unwarranted burdens on such entities once an investigation is closed.”