Risk
6/1/2011
04:05 PM
50%
50%

Schwartz On Security: Your Medical Records At Risk

The current, voluntary approach to HIPAA data security rules hasn't resulted in adequate security for electronic protected health information.

As people's private medical records increasingly get stored in electronic format, a question looms: Will our records be stored securely, so that they can't be easily stolen or publicly released en masse?

The Health Insurance Portability and Accountability Act (HIPAA), passed 15 years ago, was created to ensure that the healthcare industry kept patient data secure. Interestingly, however, since the passage of the HITECH Act in 2009, which was supposed to strengthen HIPAA enforcement, there's only been a single HIPAA fine over poor healthcare data security practices.

Perhaps the healthcare industry is doing a great job of keeping our patient data secure, and funding for HITECH enforcement should be cut, as some members of Congress have proposed.

Except that the healthcare industry doesn't appear to be properly protecting patient data. According to a survey conducted by certificate authority GlobalSign and released last week, in the past two years, one-third of surveyed healthcare organizations said they'd experienced a data breach involving patient records.

Furthermore, two new audits of the government agencies charged with setting and enforcing healthcare data security standards found that hospitals, healthcare organizations, and state agencies are failing to properly protect people's personal health information. In the audits, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) criticized both the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) for failing to properly enforce HIPAA. It also found that data is being put at risk, and even stolen without hospitals' knowledge.

What's the problem? For starters, there's strong evidence of bystander effect--numerous agencies are involved, but none seem to be in charge. That's in spite of the government pouring billions of dollars into converting the healthcare industry to electronic patient records. Arguably, there's never been a better time for the government to demand stringent data security standards in return for a piece of the pie.

Current hospital data security practices appear to be woefully inadequate. Indeed, OIG auditors also investigated electronic protected health information (ePHI) practices at seven hospitals across the nation. They found "151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact," according to the OIG's report. Threats included ineffective wireless encryption, rogue access points, missing firewalls, laptops storing unencrypted ePHI, outdated antivirus signatures, failing to apply critical operating system patches, and unlocked data centers.

"These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk," according to the report. "Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge."

Who's to blame? Auditors slammed the Centers for Medicare and Medicaid Services--and its Office for Civil Rights (OCR)--for failing to proactively assess any hospitals' compliance with HIPAA. "Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so," according to the report.

If that sounds familiar, it's because government auditors found that the Centers for Medicare and Medicaid Services were similarly failing to enforce HIPAA security rules back in 2008. At the time, CMS leadership argued that "its complaint-driven enforcement process has furthered the goal of voluntary compliance," according to the 2008 audit. But given the number of data security vulnerabilities found in the seven recently audited hospitals, the voluntary compliance regime appears to be failing. Furthermore, if not even hospitals know when patient data is being stolen, who's going to complain?

Likewise, HHS last week proposed changes to the HIPAA privacy rule to let people review who's accessed their data, as well as who their data has been shared with. But if that data isn't secure, who thinks those access records will be 100% accurate?

Cue a now-common refrain: Something must be done to correct the current state of health information data security. Where can we start? "Fixing the serious data security problems afflicting the health care system will require coordinated and focused action among several government agencies, particularly ONC, OCR, and [CMS]," said Harley Geiger, policy counsel at the Center for Democracy & Technology (CDT), in a blog post.

But don't expect HIPAA to get teeth anytime soon. "The [OIG] reports acknowledge that responsibility for health data security is vested in a number of agencies, and the reports recommend that ONC coordinate its work with CMS and OCR where applicable," said Geiger. "Unfortunately, these points are buried and not given weight proportionate to the scale of the problem. The failure to have a comprehensive, coordinated strategy is at the root of the issues raised in the report."


In the new, all-digital InformationWeek Healthcare: iPads are leading a new wave of devices into the exam room. Are security, tech support, and infection control up to the task? Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4233
Published: 2015-07-02
SQL injection vulnerability in Cisco Unified MeetingPlace 8.6(1.2) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuu54037.

CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report