The numerous and widespread systems used to store and transmit patients’ health information in electronic form are vulnerable to cyber-based threats. Breaches in recent involved more that 113 million records in 2015, and “can have serious adverse impacts such as identity theft, fraud and disruption of health care services. And their number has increased steadily in recent years, from 0 in 2009 to 56 in 2015, said a new Government Accountability Office (GAO) audit report.
The use of electronic health information can allow providers to more efficiently share information and give patients easier access to their health information, among other benefits. Nonetheless, GAO found that while “the Department of Health and Human Services (HHS) has established guidance for covered entities, such as health plans and care providers, for use in their efforts to comply with HIPAA requirements regarding the privacy and security of protected health information,” it hasn’t “address[ed] all elements called for by other federal cybersecurity guidance.”
“Specifically,” GAO stated, “HHS’s guidance does not address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology to their specific needs. Such controls include developing risk responses, among others. Further, covered entities and business associates have been challenged to comply with HHS requirements for risk assessment and management.”
And, “Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise,” Congress’ investigative branch determined.
HHS has established an oversight program for compliance with privacy and security regulations, GAO found, but these “actions did not always fully verify that the regulations wereimplemented. Specifically, HHS’s Office of Civil Rights investigates complaints of security or privacy violations, almost 18,000 of which were received in 2014, and has established an audit program for covered entities’ security and privacy programs.”
“However,” GAO noted, “for some of its investigations it provided technical assistance that was not pertinent to identified problems, and in other cases it did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed. Further, the office has not yet established benchmarks to assess the effectiveness of its audit program.”
“These weaknesses result in less assurance that loss or misuse of health information is being adequately addressed,” GAO said.
GAO explained that, “As a digital version of a patient’s medical record or chart” — an electronic health record (HER) — can make pertinent health information more readily available and usable for providers and patients."
But GAO said “recent data breaches highlight the need to ensure the security and privacy of these records. HHS has primary responsibility for setting standards for protecting electronic health information and for enforcing compliance with these standards.”
The GAO’s specific objectives were to suscribe the expected benefits of and cyber threats to electronic health information; determine the extent to which HHS’s security and privacy guidance for EHRs are consistent with federal cybersecurity guidance; and assess the extent to which HHS oversees these requirements. To address these objectives, GAO reviewed relevant reports, federal guidance, and HHS documentation and interviewed subject matter experts and agency officials.
GAO made five recommendations, “including that HHS update its guidance for protecting electronic health information to address key security elements, improve technical assistance it provides to covered entities, follow up on corrective actions and establish metrics for gauging the effectiveness of its audit program.”
HHS generally concurred with the GAO’s recommendations, confirming it would take actions to implement them.