High-profile computer hackers usually find their names in the paper after sabotaging Amazon.com or shutting down CNN's Web site. But some of the nation's most sensitive patient data may be subject to similar security threats, experts have testified in Congress.
While HCFA officials say there has never been a security lapse in the agency's 24-year history, others are concerned that the Medicare claims data the giant agency processes are vulnerable to hackers and the increasingly common "cyber-attack."
For cyber-criminals, Pentagon and other highly secure sites have been the most popular targets. But it may not be difficult for e-terrorists to grab data and wreak havoc at HCFA as well. Security experts say it is even likely that HCFA's business partners-and not the agency itself-will instigate a security breach by not complying with network safety standards.
"The security of the Medicare claims system is a matter that HCFA and all of us must take very seriously-for it is one of the most critical federal assets, containing vast amounts of personally identifiable private medical information," said Rep. W.J. "Billy" Tauzin (R-La.) in a May hearing before the House Energy and Commerce subcommittee on oversight and investigations. "There is no doubt that HCFA can and must do better in this area."
The Medicare program HCFA administers provided health insurance benefits to 39.5 million Americans at a cost of $215 billion last year. Lackluster security, witnesses said, could affect patient privacy and put billions of dollars at risk.
"No one is disputing the facts presented by our auditors," HCFA Chief Information Officer Jared Adair said in a written statement to Modern Healthcare. "We are actively working to continually improve our security measures. "
That has involved such things as putting tighter reins on password management and securing physical areas where computer hardware is maintained.
One problem for HCFA is Medicare contractors' lack of attention to security standards, Adair said in testimony before the subcommittee. To address that issue, the agency has distributed to contractors "baseline security requirements" and follows up to assess compliance, Adair said.
Even so, Tauzin and others charged that HCFA has neglected to monitor closely those that provide computer and networking services to the agency.
"HCFA has not been aggressive enough in pushing (contractors such as IBM and AT&T) to allow independent tests of their systems," Tauzin said at the hearing. "We simply cannot take (the contractors') assurances of security at face value-not because they are incompetent or deceptive, but simply because they may not be as secure as they would like to think."
The impact of such inadequacies ranges from improper Medicare payments and inaccurate financial statements to unauthorized access to critical operations, said Joseph Vengrin, assistant inspector general for audit operations and financial statement activities, in the May congressional hearing.
"Most of our data only has its value in aggregate, making the likelihood that someone will accomplish a breach for a single beneficiary's claim information very small," Adair told Modern Healthcare.
In its 2000 audit of HCFA, Vengrin's office cited 124 weaknesses of government and contractor computers that made Medicare patient data vulnerable.
"The underlying internal control environment for Medicare claim processing operations needs substantial improvement," Vengrin said. "Weaknesses in such controls can compromise the integrity of program data and increase the risk that data may be inappropriately used and/or disclosed."
En Garde Systems, an Albuquerque, N.M.-based computer security firm, worked with HCFA between 1997 and 2000 to assess the agency's systems and identify potential threats. En Garde President Michael Neuman testified in May that "there is a healthy approach to security from HCFA management," but warned that "we have found HCFA's contractors to be outright obstructive in providing sound security."
En Garde's team, Neuman said, gained access to HCFA's Web server, maintained by IBM Global Services, "without any more expertise than it takes to point and click." IBM officials could not be reached for comment before deadline.
It took HCFA more than a year to negotiate a deal with IBM under which HCFA could test the computer giant's security measures, according to En Garde. "HCFA has been doing a lot to get controls over those systems," said Diana Neuman, vice president of En Garde.
"(HCFA) and the inspector general have encountered concerns from some vendors who are worried that our testing may inadvertently disrupt their private business or disclose their proprietary property," Adair said.
Nevertheless, she added, "we have not abandoned testing of our Medicare contractors or our other vendors' systems. I am confident that we will make such testing possible and routine, so that we can gain the assurance we need that the systems are well protected."
Between 2000 and 2001, HCFA's spending on major information security projects increased to $11.7 million from $5 million, Adair reported to Congress.