In a separate 23-page report, auditors criticize the ONC for lack of leadership in promoting electronic health information security.
In July 2009, the Office for Civil Rights took over as overseer of the HIPAA security rule from the CMS. At the time, the CMS said it had investigated 428 security complaints but hadn't levied a single monetary penalty against a violator since the HIPAA security rule became effective for providers in April 2005.
The inspector general's report noted that although both the CMS and the Office for Civil Rights had the authority to launch security audits, neither had done so.
To test hospitals' levels of HIPAA compliance, the inspector general's office initiated a series of its own security audits between August 2009 and March 2010 at hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York and Texas.
In conducting site visits and performing compliance audits of hospitals that both the CMS and the Office for Civil Rights could have done but didn't, inspector general auditors identified "151 vulnerabilities in the systems and controls” intended to cover electronic “protected health information” as defined by HIPAA. Of those, according to the auditors, “124 were categorized as high-impact.”
The audits of the seven hospitals revealed weaknesses in hospital IT defenses of electronic protected health information, or ePHI, ranging from the fact that several hospitals still were using obsolete and vulnerable encryption protocols to the fact that all seven had vulnerable access controls in which “Outsiders or employees at some hospitals could have accessed, and in one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.”
“These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk,” the auditors said. The individual hospital audit reports were not disclosed “because the reports contained restricted, sensitive information that may be exempt from release under the Freedom of Information Act,” according to the report.
The Office for Civil Rights noted in its response that it maintains a process for initiating compliance reviews for covered entities. The office also said it had performed compliance audits on those covered entities that had suffered breaches involving records of more than 500 individuals—the threshold for an organization to report to the government for posting on a public breach notification list.
According to the auditors, though, the Office for Civil Rights needs to do even more and not just react to breaches.
Although the Office for Civil Rights “stated that it maintains a process for initiating covered-entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so,” the auditors' report said, adding that it encouraged the Office for Civil Rights to perform random compliance audits on organizations not subject to consumer complaints.
In the other report released today, auditors note that the ONC was tasked with certain security responsibilities under the American Recovery and Reinvestment Act of 2009. Those include updating the national health IT strategic plan to include “objectives, milestones and metrics” for “ensuring appropriate authorization and electronic authentication of health information” and “specifying technologies or methodologies for rendering electronic health information unusable, unreadable or indecipherable to unauthorized users.”
As a yardstick for ONC performance as a security champion, the inspector general's auditors reviewed last year's ONC-developed interim final rule and final rule on standards, implementation specifications and certification criteria for the ARRA-funded electronic health-record system incentive payment program. The auditors found both wanting.
The report's authors differentiated between two types of security measures. One they described as “application security controls” that “function inside systems or applications to ensure that they work correctly.” Such measures include security controls covered by the ONC final rule and used in testing and certification of electronic health-record systems as able to meet meaningful-use requirements for providers participating in the federal IT incentive payment programs. An example is a requirement that certified EHRs be able to encrypt data shared between providers.
The auditors called the other type of measures “general information technology security controls,” described as “structure, policies and procedures that apply to an entity's overall computer operation.”
An example would be a policy that requires providers to use encryption software on their systems and encrypt all data copied from an EHR and placed on a portable storage device, such as a laptop, CD or a portable thumb drive.
The auditors found that the ONC had included application controls in writing its interoperability specifications for meaningful use, but that "there were no (health IT) standards that included general IT security controls.”
Other examples of general controls not addressed by the ONC but suggested for development by the report would be requirements that providers use two-factor authentication to gain access to an organization's health IT system and policies that mandate that organizations install “patches” or bug fixes in a routine and timely manner to computers that process and store EHRs.
In a March 23 letter in response to the audit, then-ONC head Dr. David Blumenthal explained that the ONC's meaningful-use criteria required providers to perform risk assessments in accordance with HIPAA security requirements. (HIPAA does not specifically require providers to encrypt data, only to ensure that it is securely kept.)
Blumenthal also wrote that ONC's “primary mission is to promote the adoption of health IT.” Consequently, in these early stages of EHR adoption under the ARRA incentive program, “ONC has worked to strike the right balance between ensuring the security of health information among new adopters while not creating such an onerous burden of technical requirements that the primary adoption goal would fail to be achieved.” But by 2015, Blumenthal said, the ONC and the CMS expect to have a well-developed set of certification criteria that will form “a strong security framework.”