Last year Sen. Lamar Alexander and Sen.Patty Murray asked for answers to some questions concerning cybersecurity in healthcare and whether HIPAA security updates were needed. We discussed the Senators request in episode 31.
Their letter asked:
- What CMS and HHS are doing to monitor medical identity fraud
- What is CMS and/or OCR actually doing, if anything, to track cases of ID theft and fraud
- How OCR uses the data collected from covered-entities to monitor potential breach victims and find out if their data have in fact been used by criminals
- They also want to know whether any education materials or help are offered to breach victims by CMS and OCR
The report was presented to the committee on August 6, 2016 and made public on Sept 26.
It was done by the United States Government Accountability Office (GAO) which means it follows all kinds of standards for doing a performance audit from June 2015 to August 2016.
Their response says: GAO was asked to review the current health information cybersecurity infrastructure. The specific objectives were to:
1) Describe expected benefits of and cyber threats to electronic health information.
2) Determine the extent to which HHS security and privacy guidance for EHRs are consistent with federal cybersecurity guidance.
3) Assess the extent to which HHS oversees these requirements.
Important notes about their analysis
The report goes into a lot of depth that includes how they evaluated the industry as well as their recommendations involving HIPAA security updates. Here are several things I noted in their analysis, then their 5 recommendations.
Health Care Is a Sector of the U.S. Critical Infrastructure
Critical infrastructure is comprised of systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on the national public health or safety, nation’s security, or national economic security. The critical infrastructure sectors were defined in Presidential Policy Directive 21 and consist of 16 sectors, one of which is health care and public health.
NIST CSF was created to address the needs of the critical infrastructure.
The Number of Incidents Resulting in the Loss of Electronic Health Information Is Increasing
More individuals’ ePHI was compromised in 2015 than in any previous year following the establishment of the HITECH Act in 2009, according to data that health care providers reported to HHS. Based on these data, over 113 million individual health care records were compromised in 2015 due to hacking or other incidents.
This report just covers part of 2016 and we know that things haven’t gotten exceptionally better.
For example, a study conducted by Mandiant reported that health care IT breaches, which had previously been a minor portion of their investigations, emerged in 2014 as a notable target for criminals. Likewise, a study done by KPMG reported in 2015 that a survey of healthcare executives indicated that health care organizations are frequently targeted compared to other types of organizations and the magnitude of the threat against health care information has grown exponentially
Threats to Electronic Health Information Come from Multiple Sources and Can Have Significant Adverse Impacts
In addition to the threat of cyberattack, health IT systems face significant threats from insiders. While all of the breaches of over 1 million records in 2015 were attributed to outside attackers, a health care industry representative told us that insiders are consistently identified as the biggest threat. In addition to the threat of healthcare professionals and staff directly accessing medical records for unauthorized purposes, insiders may also fall victim to phishing attacks and other forms of social engineering that could provide outside attackers with unauthorized access to IT systems that they would not otherwise be able to obtain.
HHS Security and Privacy Guidance Does Not Fully Address Important Controls Outlined in Federal Guidance
However, the guidance published by HHS does not address all of the elements in the NIST guidance. HHS officials said they intended their guidance to be minimally prescriptive to allow flexible implementation by a wide variety of covered entities. However, until these entities address all the elements of the NIST Cybersecurity Framework, their EHR systems and data are likely to remain unnecessarily exposed to security threats.
Covered Entities and Business Associates Have Been Challenged to Comply with the HIPAA Security and Privacy Rules
Specifically, HHS data from 2015 show that performing risk assessments and developing risk management plans. These plans document how identified risks are to be addressed, are among the most challenging aspects of the rules for covered entities to implement. OCR investigations where corrective actions were required showed that approximately 23.9 percent of complaints and breach reports received by HHS result in investigations that involve questions about how organizations have conducted risk analyses. Approximately 22.3 percent of them involve how organizations developed risk management plans.
HHS Security Guidance Does Not Fully Align with the NIST Cybersecurity Framework
While the crosswalk demonstrated that the major elements of the Security Rule correspond to elements of the NIST Cybersecurity Framework, HHS guidance does not address many of the specific security control elements included in the Cybersecurity Framework. For example, of the 98 framework subcategories, the HSR Toolkit fully addresses only 19. Many of the specific controls detailed within the framework’s 98 subcategories are not addressed in the either the HHS security assessment guidance or in its other risk management guidance.
Recommendations for Executive Action involving HIPAA Security Updates
- Update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the NIST Cybersecurity Framework;
- Update technical assistance that is provided to covered entities and business associates to address technical security concerns;
- Revise the current enforcement program to include following up on the implementation of corrective actions;
- Establish performance measures for the OCR audit program; and
- Establish and implement policies and procedures for sharing the results of investigations and audits between OCR and CMS to help ensure that covered entities and business associates are in compliance with HIPAA and the HITECH Act.
Hopefully, the following HIPAA security updates will be implemented so that we can better protect ePHI.