The Department of Health and Human Services Office of Inspector General (OIG) conducted two audits of electronic medical records (EMR) and the results showed that security measures are seriously lacking. This is not good news since the White House has set a goal to make sure every American has an EMR by 2014. As PBS pointed out:
Beginning this year, health care professionals who effectively use electronic records can each receive up to $44,000 over five years through Medicare or up to $63,750 over six years through Medicaid.
The audits examined health IT security standards, compliance with the Health Insurance Portability and Accountability Act (HIPAA) and network vulnerabilities at hospitals. HHS also looked at the security policies at the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC).
The investigation audited computer security at seven large hospitals in different states, and found 151 major vulnerabilities, including unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. The auditors classified 124 of the breeches were “high impact” – resulting in costly losses, injury or death. According to the report, “outsiders or employees at some hospitals could have accessed, and at one of the seven hospitals did access, systems and beneficiaries’ personal data.”
Information culled from health care data is a prime target for hackers. As The Washington Post wrote:
In recent years, the case of a former UCLA Medical Center worker who sold details from the files of actress Farah Fawcett, singer Britney Spears and others to the National Enquirer gained notoriety.
Most cases don’t involve celebrities or get much attention. Yet fraudsters covet health care records, since they contain identifiers such as names, birth dates and Social Security numbers that can be used to construct a false identity or send Medicare bogus bills.
It’s not like the move to EMRs has been pushed too quickly. The program is being gradually phased in, and health care and IT departments have been dealing with compliance and privacy issues for some time now.
InformationWeek highlighted some of the suggestions from OIG to improve security policies. For the audit, titled “Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight,” OIG examined CMS’ oversight and enforcement of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Security Rule:
[OIG] found CMS lax in its efforts to ensure that covered entities, such as hospitals, adhered to the Security Rule.
In its recommendations, OIG urged the Department’s Office for Civil Rights (OCR) to continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place to protect heath information at covered entities.
In another report, Audit of Information Technology Security Included in Health Information Technology Standards, ONC was taken to task for not doing enough to implement proper security measures to protect sensitive patient information.
ONC endorsed OIG’s four recommendations outlined below:
- Broaden its focus from interoperability specifications to include well-developed general IT security controls for supporting systems, networks, and infrastructures.
- Use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices.
- Emphasize to the medical community the importance of general IT security.
- Coordinate its work with CMS and OCR to add general IT security controls where applicable.