Risk
6/1/2011
04:05 PM
50%
50%

Schwartz On Security: Your Medical Records At Risk

The current, voluntary approach to HIPAA data security rules hasn't resulted in adequate security for electronic protected health information.

As people's private medical records increasingly get stored in electronic format, a question looms: Will our records be stored securely, so that they can't be easily stolen or publicly released en masse?

The Health Insurance Portability and Accountability Act (HIPAA), passed 15 years ago, was created to ensure that the healthcare industry kept patient data secure. Interestingly, however, since the passage of the HITECH Act in 2009, which was supposed to strengthen HIPAA enforcement, there's only been a single HIPAA fine over poor healthcare data security practices.

Perhaps the healthcare industry is doing a great job of keeping our patient data secure, and funding for HITECH enforcement should be cut, as some members of Congress have proposed.

Except that the healthcare industry doesn't appear to be properly protecting patient data. According to a survey conducted by certificate authority GlobalSign and released last week, in the past two years, one-third of surveyed healthcare organizations said they'd experienced a data breach involving patient records.

Furthermore, two new audits of the government agencies charged with setting and enforcing healthcare data security standards found that hospitals, healthcare organizations, and state agencies are failing to properly protect people's personal health information. In the audits, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) criticized both the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) for failing to properly enforce HIPAA. It also found that data is being put at risk, and even stolen without hospitals' knowledge.

What's the problem? For starters, there's strong evidence of bystander effect--numerous agencies are involved, but none seem to be in charge. That's in spite of the government pouring billions of dollars into converting the healthcare industry to electronic patient records. Arguably, there's never been a better time for the government to demand stringent data security standards in return for a piece of the pie.

Current hospital data security practices appear to be woefully inadequate. Indeed, OIG auditors also investigated electronic protected health information (ePHI) practices at seven hospitals across the nation. They found "151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact," according to the OIG's report. Threats included ineffective wireless encryption, rogue access points, missing firewalls, laptops storing unencrypted ePHI, outdated antivirus signatures, failing to apply critical operating system patches, and unlocked data centers.

"These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk," according to the report. "Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge."

Who's to blame? Auditors slammed the Centers for Medicare and Medicaid Services--and its Office for Civil Rights (OCR)--for failing to proactively assess any hospitals' compliance with HIPAA. "Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so," according to the report.

If that sounds familiar, it's because government auditors found that the Centers for Medicare and Medicaid Services were similarly failing to enforce HIPAA security rules back in 2008. At the time, CMS leadership argued that "its complaint-driven enforcement process has furthered the goal of voluntary compliance," according to the 2008 audit. But given the number of data security vulnerabilities found in the seven recently audited hospitals, the voluntary compliance regime appears to be failing. Furthermore, if not even hospitals know when patient data is being stolen, who's going to complain?

Likewise, HHS last week proposed changes to the HIPAA privacy rule to let people review who's accessed their data, as well as who their data has been shared with. But if that data isn't secure, who thinks those access records will be 100% accurate?

Cue a now-common refrain: Something must be done to correct the current state of health information data security. Where can we start? "Fixing the serious data security problems afflicting the health care system will require coordinated and focused action among several government agencies, particularly ONC, OCR, and [CMS]," said Harley Geiger, policy counsel at the Center for Democracy & Technology (CDT), in a blog post.

But don't expect HIPAA to get teeth anytime soon. "The [OIG] reports acknowledge that responsibility for health data security is vested in a number of agencies, and the reports recommend that ONC coordinate its work with CMS and OCR where applicable," said Geiger. "Unfortunately, these points are buried and not given weight proportionate to the scale of the problem. The failure to have a comprehensive, coordinated strategy is at the root of the issues raised in the report."


In the new, all-digital InformationWeek Healthcare: iPads are leading a new wave of devices into the exam room. Are security, tech support, and infection control up to the task? Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4231
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

CVE-2015-4232
Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

CVE-2015-4234
Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

CVE-2015-4237
Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

CVE-2015-4239
Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report