The Government Accountability Office on Monday released what's being called a "scathing" report on cybersecurity preparedness and threats in health information technology. The agency states that HHS' investigations often result in technical advice that is not pertinent to the problems identified and that the agency doesn't always follow up to ensure corrective actions have been taken.
"Finally, for the first time that I know of there's an official document saying that the insider threat is the most significant threat,” said Pam Dixon, founder of the World Privacy Forum, a San Diego-based not-for-profit organization that tracks patient privacy and security issues.
The GAO report was requested by Sen. Lamar Alexander (R-Tenn.) and Sen. Patty Murray, (D-Wash.), the chairman and ranking member, respectively, of the Senate Health, Education, Labor and Pensions Committee. Both legislators have taken an active interest in federal health IT policy.
Monday's report comes on the heels of a broader study by the watchdog agency released earlier this month on cybersecurity across the federal government.
That report found a 13-fold increase in reported cyberattacks on federal government agencies between 2006 and 2015, to more than 77,000 last year.
In healthcare, since September 2009 when HHS' Office for Civil Rights began publicly reporting medical record breaches involving 500 individuals' records on its “wall of shame” website, there have been 1,667 breaches large enough to make the list.
They account for more than half the U.S. population—168.3 million individuals—who have had their medical records breached. Of those, just 221 breaches or 13.3%, were attributed to some form of a hacking incident, but many of those hacks were whoppers, contributing to 126 million records, or 75%, of those records exposed.
Dixon said the GAO pointed out that HHS is not providing adequate guidance to providers about cybersecurity and not tying that it better with HIPAA-required risk assessments.
“They want HHS to greatly expand their technical guidance,” Dixon said.
Under current procedures, HHS' Office for Civil Rights, which is charged with enforcing the privacy and security rule of the Health Insurance Portability and Accountability Act, has been performing HIPAA audits sporadically since 2012. But the GAO said there were no benchmarks to assess the effectiveness of its audits.
According to Dixon, that means, without benchmarks, “There's really not a good way to look at the audits and see if they are effective.”