ONC is mandated by the American Recovery and Reinvestment Act (ARRA) of 2009 to be a security champion, which includes the responsibility of keeping the national health IT strategic plan updated to guarantee its integrity and protect against intrusion. The U.S. Department of Health and Human Services (HHS) security audit, conducted by OIG, found that ONC had not dealt with fundamental security requirements, nor had it conducted its own audit to determine if gaps existed in its security criteria, even though it had the authority to do so.
The 23-page "Audit of Information Technology Security Included in Health Information Technology Standards" was published on May 16. The report stated that ONC had included application IT security controls in its interoperability specifications, but its healthcare IT standards failed to include any general IT security controls.
The audit assessed ONC's process, issued in April 2009, for creating and adopting interoperability specifications. OIG auditors also evaluated both the January 2010 Interim Final Rule and the July 2010 Final Rule that specified certification requirements for equipment, software, and systems needed to receive meaningful use EHR adoption financial incentives.
The OIG defines general IT security controls as the structure, policies, and procedures that apply to an entity's overall computer operations, that ensure the proper operation of information systems, and that create a secure environment for application systems and controls. It specifically cited the following examples, none of which were included in any ONC criteria:
- Encryption of data on portable media, such as medical and DICOM CDs and DVDs and flash drives. Also, encryption of data on any type of mobile media, such as a smartphone or electronic tablet.
- Two-factor authentication when remotely accessing a healthcare IT system. Two-factor authentication typically requires use of a physical token, such as an access card, as well as a password linked to an individual.
- Software upgrades, patches, or other security enhancements to keep certified products and IT systems protected from computer viruses, malware, or other forms of attack on a healthcare IT component or system.
"Lack of any of these or other IT security controls can expose healthcare IT systems to a host of problems," the OIG auditors observed.
OIG had also conducted an audit of eight unnamed hospitals to evaluate the effectiveness of the HIPAA security rule. It issued a 36-page report, also on May 16, lambasting the Office for Civil Rights for lack of rigor in enforcing its security provisions. Security weaknesses that auditors identified at the hospitals included unprotected wireless networks, inadequate system patching, outdated or missing antivirus software, lack of system event logging or review, unencrypted portable media, shared user accounts, and excessive user access and administrative rights.
In view of this, the auditors did not accept the explanation from ONC of deferring to the HIPAA security rule for addressing fundamental IT security for healthcare IT.
"Our HIPAA reviews identified vulnerabilities in the HHS oversight function and the general IT security controls," they wrote. "Those vulnerabilities in hospitals, Medicare contractors, and stage agencies, combined with our findings in this audit, raise concern about the effectiveness of IT security for healthcare IT if general security controls are not addressed by the ONC."
Recommendations for change
OIG said it made the following recommendations to ONC, which ONC had accepted by the time the audit report was published:
- Develop specifications and requirements for general IT security controls for supporting systems, networks, and infrastructures.
- Provide guidance to the health industry on established general IT security standards and IT industry security best practices.
- Emphasize the importance of general IT security to the medical community.
- Coordinate work with the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights to add general IT security controls where applicable.
The American Health Information Management Association (AHIMA) issued a statement supporting the OIG recommendations and suggesting that security education also be offered to providers and states implementing EHRs and health information exchanges. However, AHIMA did not believe the HIPAA security rule enforcement audit had a large enough sample size to reflect the state of health information security in the U.S., according to its president, Bonnie Cassidy.
The Healthcare Information and Management Systems Society (HIMSS) stated that the two reports provide important input to ONC's HIT Policy Committee as it finalizes stage 2 meaningful use requirements and continues its planning for stage 3.
"Healthcare organizations often cite the perceived lack of enforcement of the HIPAA security rule as a primary reason for lack of focus and resources for this area," noted Lisa Gallagher, HIMSS senior director of privacy and security. "With a visible increase in enforcement for HIPAA security, coupled with the publication of audit requirements or guidelines, healthcare organizations would have greater leverage for increased funding and enhanced security management efforts."
Mac McMillan, CEO of security firm CynergisTek, told AuntMinnie.com that the OIG audit accurately assessed that the HIPAA security rule is an inadequate substitute for a real standard.
"The idea that an EHR, even one implemented properly, is secure in an environment that isn't secure is not reasonable," he said. "The focus should not just be on the EHR. Security needs to address the enterprise it lives in. The time to address those security standards is now, while developing the framework for health IT."
But from McMillan's perspective, the OIG auditors were somewhat myopic as well.
"The report missed the chance to recognize that major segments of the healthcare industry, such as radiology and long-term care organizations, have not as yet been included in proposed or finalized 'meaningful use' requirements, and that security weaknesses in these entities could compromise EHRs," he said. "Nor did the report address the continued security issues associated with medical devices."