Inspector general's reports have harsh words for HHS' security rule enforcement, but experts say not all the criticism is warranted
Federal officials and healthcare providers are torn between a push to adopt information technology as quickly and broadly as possible and the rival demands of securing their patients' private electronic data.
HHS' inspector general's office last week issued twin reports slamming the department for patterns long recognized, though not necessarily condemned, among health IT professionals.
The CMS and subsequently HHS' Office for Civil Rights have not aggressively enforced the security rule of the Health Insurance Portability and Accountability Act of 1996, the inspector general's office concluded in one audit report. A second audit found that the Office of the National Coordinator for Health Information Technology has failed to promote security as a priority in its strategies and standards.
Dr. David Blumenthal, national coordinator for health IT from March 2009 until April 8, wrote in a formal response letter to the inspector general's office that ONC's “primary mission” is to promote health IT adoption while striking a balance between security and “not creating such an onerous burden of technical requirements that the primary adoption goal would fail to be achieved.” By 2015, Blumenthal said, the ONC and the CMS expect to have “a strong security framework.”
Security experts agreed with many of the inspector general's sharp assessments, but took issue with others. Not everyone believes Blumenthal is wrong about the balance. And some credit the Office for Civil Rights with applying more vigor to HIPAA security enforcement since inheriting the role from the CMS in 2009 while retaining an approach that's more constructive than punitive.
The inspector general's office used the results of its own random security compliance audits between August 2009 and March 2010 as evidence of a serious need for tougher security enforcement by the civil rights office and recommended that the office do its own random compliance audits. The auditors identified 151 “vulnerabilities in the systems and controls” of seven unnamed hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York and Texas. The report described 124 of the weaknesses as “high impact.”
They included ineffective encryption and lack of firewalls on wireless networks, computers that did not automatically log off users after periods of inactivity, and computers and servers with security and antivirus updates left uninstalled. Some of the hospitals were found to have shared administrator accounts or user IDs and passwords that had not been changed from defaults, as well as user accounts with inappropriate access to patient information.
The reports shocked no one among the industry's security experts. “This isn't a surprise, or shouldn't be a surprise, to anyone,” said Michael “Mac” McMillan, the CEO and co-founder of Austin, Texas-based healthcare information security firm CynergisTek. McMillan also serves as chairman of the Privacy and Security Steering Committee of the Healthcare Information and Management Systems Society, the health IT industry's largest trade group.
The government's weak record on electronic security enforcement, according to McMillan, is reflected in the industry's lack of investment in data security. For three years, HIMSS has conducted annual surveys of healthcare security professionals. Its most recent report, released in November, indicated IT security remains a ghostly blip on the industry's radar screen. The most recent survey found that almost half (46%) of organizations spent 3% or less of their IT budgets on information security. “We've seen no (spending) increase whatsoever,” McMillan said. “If they're not spending at least 6%, then they can't possibly be doing a good job.”
When the Office for Civil Rights replaced the CMS as the HIPAA security rule enforcement authority, the CMS had investigated 428 security complaints but had not levied a single civil monetary penalty against a violator since the security rule became effective in April 2005. It was not until this February that an Office for Civil Rights probe led to a civil penalty, a $4.3 million fine against Maryland-based Cignet Health for HIPAA privacy violations. Also that month, Massachusetts General Hospital, Boston, entered into a $1 million settlement agreement with HHS over the loss of 192 paper medical records an employee left on a subway train.
While McMillan agrees with the recommendation that the civil rights office should conduct random security audits, he applauds the office for increasing—by a factor of four—the number of complaints it has settled with resolution agreements compared with the CMS' record.
“When you read this report, the first thing you come away with is that everybody is doing a crappy job,” McMillan said, and that is not the case. “Have they fined a bunch of people? No,” he said, but the Office for Civil Rights “is doing a much better job than CMS ever did. They're taking it a lot more seriously.” However, McMillan backs the inspector general's conclusion that the ONC needs to better promote security to healthcare industry data handlers.
The auditors concluded the ONC did well in drafting parts of its final rule for testing and certification of electronic health-records systems. The rule, released last summer as part of the incentive payment program under the American Recovery and Reinvestment Act, requires that certain security measures be part of certified EHR systems.
What the ONC lacked, however, the inspector general's office said, were more “general IT security controls,” such as insisting encryption is used to protect patient data stored on laptop computers and mobile devices. In the HIMSS survey, only 39% of organizations required encryption on mobile devices.
The Office for Civil Rights, under a provision of the stimulus law, publishes reports of breaches involving 500 or more unencrypted patient records, and most of the 203 breaches of electronic data involved laptop computers and other portable devices and media, such as CDs and backup tapes (See chart above). Sixty-one reported breaches involved paper records.
“We're looking at them (the ONC) to provide guidance so we have some standards to benchmark against,” said Lori Pilcher, the assistant inspector general for grants, internal activities and information technology audits. The ONC at this point should be able to promote EHR adoption and ensure patient data security, according to Pilcher. “To say our focus is on ramping it up, I have difficulty with that—to think my records are part of a system where security hasn't been the focus,” she said.
Daniel Gottlieb, a Chicago-based privacy and security lawyer and partner in the firm, McDermott Will & Emery, said the auditors “reviewed the ONC's security standards in a vacuum without looking at the broader regulatory environment in the healthcare industry.”
Gottlieb asserts that HIPAA already requires much of the data protection the inspector general's office wants to see coming from the ONC. “I don't think there's a need for overlapping standards,” he said. Getting more specific would likely become unworkable, he added, given HIPAA has to stretch to cover everything from a rural physician's solo practice to a massive, national health insurance company.
Gottlieb affirmed that the Office for Civil Rights is doing more investigations than the CMS used to. “I still think that OCR is trying to work more with providers on compliance than working on more big fines,” he said, adding that might not be the best tactic to maximize compliance.
Indeed, said Lisa Gallagher, senior director of privacy and security at HIMSS, the Office for Civil Rights needs to be more forceful not so much to punish the wicked, but to empower the virtuous. “I continue to hear from folks who work in security, that as long as there is not visible enforcement, it hurts their chances to getting the resources and budgets and employees they need,” she said. “For the person who has to do security and ask for the funding and do the training, having a visible, ongoing audit program would give them the leverage.”
Gallagher also serves on the privacy and security workgroup of the federally chartered Health IT Standards Committee, which reports to the ONC. She disagrees that the ONC needs to have done more—for now—in promoting security. “I think for Stage 1 what they did, requiring the risk assessment, I think that's reasonable and appropriate. I think ONC is already looking at some of the areas” the audits listed, she said. “I see very deliberate consideration of what they're going to do next.”