Risk
6/1/2011
04:05 PM
50%
50%

Schwartz On Security: Your Medical Records At Risk

The current, voluntary approach to HIPAA data security rules hasn't resulted in adequate security for electronic protected health information.

As people's private medical records increasingly get stored in electronic format, a question looms: Will our records be stored securely, so that they can't be easily stolen or publicly released en masse?

The Health Insurance Portability and Accountability Act (HIPAA), passed 15 years ago, was created to ensure that the healthcare industry kept patient data secure. Interestingly, however, since the passage of the HITECH Act in 2009, which was supposed to strengthen HIPAA enforcement, there's only been a single HIPAA fine over poor healthcare data security practices.

Perhaps the healthcare industry is doing a great job of keeping our patient data secure, and funding for HITECH enforcement should be cut, as some members of Congress have proposed.

Except that the healthcare industry doesn't appear to be properly protecting patient data. According to a survey conducted by certificate authority GlobalSign and released last week, in the past two years, one-third of surveyed healthcare organizations said they'd experienced a data breach involving patient records.

Furthermore, two new audits of the government agencies charged with setting and enforcing healthcare data security standards found that hospitals, healthcare organizations, and state agencies are failing to properly protect people's personal health information. In the audits, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) criticized both the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) for failing to properly enforce HIPAA. It also found that data is being put at risk, and even stolen without hospitals' knowledge.

What's the problem? For starters, there's strong evidence of bystander effect--numerous agencies are involved, but none seem to be in charge. That's in spite of the government pouring billions of dollars into converting the healthcare industry to electronic patient records. Arguably, there's never been a better time for the government to demand stringent data security standards in return for a piece of the pie.

Current hospital data security practices appear to be woefully inadequate. Indeed, OIG auditors also investigated electronic protected health information (ePHI) practices at seven hospitals across the nation. They found "151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact," according to the OIG's report. Threats included ineffective wireless encryption, rogue access points, missing firewalls, laptops storing unencrypted ePHI, outdated antivirus signatures, failing to apply critical operating system patches, and unlocked data centers.

"These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk," according to the report. "Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge."

Who's to blame? Auditors slammed the Centers for Medicare and Medicaid Services--and its Office for Civil Rights (OCR)--for failing to proactively assess any hospitals' compliance with HIPAA. "Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so," according to the report.

If that sounds familiar, it's because government auditors found that the Centers for Medicare and Medicaid Services were similarly failing to enforce HIPAA security rules back in 2008. At the time, CMS leadership argued that "its complaint-driven enforcement process has furthered the goal of voluntary compliance," according to the 2008 audit. But given the number of data security vulnerabilities found in the seven recently audited hospitals, the voluntary compliance regime appears to be failing. Furthermore, if not even hospitals know when patient data is being stolen, who's going to complain?

Likewise, HHS last week proposed changes to the HIPAA privacy rule to let people review who's accessed their data, as well as who their data has been shared with. But if that data isn't secure, who thinks those access records will be 100% accurate?

Cue a now-common refrain: Something must be done to correct the current state of health information data security. Where can we start? "Fixing the serious data security problems afflicting the health care system will require coordinated and focused action among several government agencies, particularly ONC, OCR, and [CMS]," said Harley Geiger, policy counsel at the Center for Democracy & Technology (CDT), in a blog post.

But don't expect HIPAA to get teeth anytime soon. "The [OIG] reports acknowledge that responsibility for health data security is vested in a number of agencies, and the reports recommend that ONC coordinate its work with CMS and OCR where applicable," said Geiger. "Unfortunately, these points are buried and not given weight proportionate to the scale of the problem. The failure to have a comprehensive, coordinated strategy is at the root of the issues raised in the report."


In the new, all-digital InformationWeek Healthcare: iPads are leading a new wave of devices into the exam room. Are security, tech support, and infection control up to the task? Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0750
Published: 2015-05-22
The administrative web interface in Cisco Hosted Collaboration Solution (HCS) 10.6(1) and earlier allows remote authenticated users to execute arbitrary commands via crafted input to unspecified fields, aka Bug ID CSCut02786.

CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.