One audit cited the Office of the National Coordinator for Health IT (ONC) for its poor performance in ensuring that patients’ health information was secure and adequately protected in implementing a nationwide interoperable health IT (HIT) infrastructure.
The OIG found that ONC did not have in place sufficient general IT security controls, such as encrypting data stored on mobile devices, requiring two-factor authentication when remotely accessing the health IT system, and patching the operating systems of computers that process and store electronic health records.
“We found a lack of general IT security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals. Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed”, the OIG said.
It recommended that ONC broaden its focus to include general IT security controls for supporting systems, networks, and infrastructures; provide guidance to the health industry on established general IT security standards and best practices; emphasize to the medical community the importance of general IT security; and coordinate its work with the Centers for Medicare and Medicaid Services (CMS) and the department's Office for Civil Rights to add general IT security controls where applicable.
The second audit found that CMS was lax in its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) security rule. The OIG found that CMS could not say whether controls were in place at hospitals and other covered healthcare organizations to safeguard electronic protected health information (ePHI).
Under HIPAA, hospitals and other healthcare organizations that transmit electronic health information are required to ensure the confidentiality, integrity, and availability of the information; protect against any reasonably anticipated threats or risks to the security or integrity of the information; and protect against unauthorized uses or disclosures of the information.
“Our audits of seven hospitals throughout the nation identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge”, the OIG said.
The office recommended that CMS implement procedures for conducting compliance reviews to ensure that HIPAA security rule controls are in place at healthcare facilities and operating as intended.