Risk
6/1/2011
04:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Schwartz On Security: Your Medical Records At Risk

The current, voluntary approach to HIPAA data security rules hasn't resulted in adequate security for electronic protected health information.

As people's private medical records increasingly get stored in electronic format, a question looms: Will our records be stored securely, so that they can't be easily stolen or publicly released en masse?

The Health Insurance Portability and Accountability Act (HIPAA), passed 15 years ago, was created to ensure that the healthcare industry kept patient data secure. Interestingly, however, since the passage of the HITECH Act in 2009, which was supposed to strengthen HIPAA enforcement, there's only been a single HIPAA fine over poor healthcare data security practices.

Perhaps the healthcare industry is doing a great job of keeping our patient data secure, and funding for HITECH enforcement should be cut, as some members of Congress have proposed.

Except that the healthcare industry doesn't appear to be properly protecting patient data. According to a survey conducted by certificate authority GlobalSign and released last week, in the past two years, one-third of surveyed healthcare organizations said they'd experienced a data breach involving patient records.

Furthermore, two new audits of the government agencies charged with setting and enforcing healthcare data security standards found that hospitals, healthcare organizations, and state agencies are failing to properly protect people's personal health information. In the audits, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) criticized both the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) for failing to properly enforce HIPAA. It also found that data is being put at risk, and even stolen without hospitals' knowledge.

What's the problem? For starters, there's strong evidence of bystander effect--numerous agencies are involved, but none seem to be in charge. That's in spite of the government pouring billions of dollars into converting the healthcare industry to electronic patient records. Arguably, there's never been a better time for the government to demand stringent data security standards in return for a piece of the pie.

Current hospital data security practices appear to be woefully inadequate. Indeed, OIG auditors also investigated electronic protected health information (ePHI) practices at seven hospitals across the nation. They found "151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact," according to the OIG's report. Threats included ineffective wireless encryption, rogue access points, missing firewalls, laptops storing unencrypted ePHI, outdated antivirus signatures, failing to apply critical operating system patches, and unlocked data centers.

"These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk," according to the report. "Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge."

Who's to blame? Auditors slammed the Centers for Medicare and Medicaid Services--and its Office for Civil Rights (OCR)--for failing to proactively assess any hospitals' compliance with HIPAA. "Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so," according to the report.

If that sounds familiar, it's because government auditors found that the Centers for Medicare and Medicaid Services were similarly failing to enforce HIPAA security rules back in 2008. At the time, CMS leadership argued that "its complaint-driven enforcement process has furthered the goal of voluntary compliance," according to the 2008 audit. But given the number of data security vulnerabilities found in the seven recently audited hospitals, the voluntary compliance regime appears to be failing. Furthermore, if not even hospitals know when patient data is being stolen, who's going to complain?

Likewise, HHS last week proposed changes to the HIPAA privacy rule to let people review who's accessed their data, as well as who their data has been shared with. But if that data isn't secure, who thinks those access records will be 100% accurate?

Cue a now-common refrain: Something must be done to correct the current state of health information data security. Where can we start? "Fixing the serious data security problems afflicting the health care system will require coordinated and focused action among several government agencies, particularly ONC, OCR, and [CMS]," said Harley Geiger, policy counsel at the Center for Democracy & Technology (CDT), in a blog post.

But don't expect HIPAA to get teeth anytime soon. "The [OIG] reports acknowledge that responsibility for health data security is vested in a number of agencies, and the reports recommend that ONC coordinate its work with CMS and OCR where applicable," said Geiger. "Unfortunately, these points are buried and not given weight proportionate to the scale of the problem. The failure to have a comprehensive, coordinated strategy is at the root of the issues raised in the report."


In the new, all-digital InformationWeek Healthcare: iPads are leading a new wave of devices into the exam room. Are security, tech support, and infection control up to the task? Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.