GAO report on privacy and security: a wake-up call for HHS?

For years, I have been a vocal proponent of securing protected health information. It is no secret that The U.S. Department of Health and Human Services (HHS) swept security and authentication under the rug during the rollout of electronic health records (EHRs) as to not to impede adoption of electronic records by providers by making it difficult to use them. The current minimum requirements for identity assurance are set low, requiring only a strong password. The reality is HHS played Russian roulette, hoping that security breaches would not occur due to weak username and static password authentication.  Putting convenience of security has led to breaches impacting millions of lives.

As Chair of the HIMSS Identity Management Task Force, I am constantly seeking news as it relates to security, identity management, and breaches to name of few topics and their effect on the nation’s healthcare system.

I just read the Government Accountability Office’s report to the U.S. Senate’s Committee on Health, Education, Labor and Pensions.  The title tells the story, “HHS Needs to Strengthen Security and Privacy Guidance and Oversight”.

Having been immersed in identity management and the security side of health IT, nothing in the report surprised me. The GAO report touches on the key findings and cites the historic breaches in 2015 affecting over 113 million individual health care records due to hacking or other incidents as well as HHS’ shortcomings as it relates to securing our healthcare system.

We are at a point where HHS needs to wake up and realize that our healthcare system is one of the 16 critical infrastructure sectors defined in 2013’s Presidential Policy Directive 21.  The Directive includes many provisions, one of which tasked NIST to develop a Cybersecurity Framework.  Although conforming to NIST’s Cybersecurity Framework is voluntary, its core set of security controls represents a consensus of topics to consider when developing information security programs.  The Framework includes 98 subcategories.

HHS’ Office of Civil Rights (OCR) proactively developed a “crosswalk toolkit” that mapped 2003’s HIPAA Security Rule to the 2014 Cybersecurity Framework to show how organizations’ existing HIPAA compliance efforts fit into the Framework. GAO points out that, “of the 98 framework subcategories, the toolkit fully addresses only 19. Many of the specific controls detailed within the framework’s 98 subcategories are not addressed in the either the HHS security assessment guidance or in its other risk management guidance.” If you are a baseball fan, 19 for 98 is below the Mendoza Line, batting .194.

Over the years HHS, has released several guidance documents, but all are weak and without mandates as it relates to identity management and authentication of entities accessing protected health information.  Guidance documents typically include words like “may” and “should,” but rarely include words like “shall” or “must,” especially when it comes to identity management and the authentication of users accessing PHI.

The GAO reinforces my statements in the report stating, “However, the guidance published by HHS does not address all of the elements in the NIST guidance. HHS officials said they intended their guidance to be minimally prescriptive to allow flexible implementation by a wide variety of covered entities. However, until these entities address all the elements of the NIST Cybersecurity Framework, their EHR systems and data are likely to remain unnecessarily exposed to security threats.”

The GAO provides five recommendations for executive action. The first two are most notable:

  1. update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the NIST Cybersecurity Framework;
  2. update technical assistance that is provided to covered entities and business associates to address technical security concerns;

HHS can no longer stick its head in the sand and hope this cyberwar will just go away. I am pleased with the GAO’s report and I hope it will serve as a wake-up call for HHS. Honestly, what else needs to happen to urge HHS to update the 13 year-old HIPAA Security Rule so that it maps to identity proofing and multi-factor authentication milestones included in ONC’s 2015 Shared Nationwide Interoperability Roadmap and NIST’s Cybersecurity Framework. It is my hope that HHS will collaborate with organizations like the HIMSS Identity Management Task Force, the HIMSS Privacy & Security Committee and the Identity Ecosystem Steering Group.

For more information on VASCO security solutions for healthcare visit https://www.vasco.com/solutions/healthcare-information-security/.


Leave a Comment