Dive Brief:
- A recent report by the General Accountability Office blasts HHS’ cybersecurity track record, saying data breaches experienced by covered entities and their business associates have compromised the personal information of tens of millions of individuals.
- Technical advice following investigations into reported cyber incidents often fails to address the complaint directly and follow-up on corrective actions is inconsistent, according to the 43-page report.
- The watchdog agency makes five recommendations for improving security around EHRs.
Dive Insight:
The number of reported breaches involving EHRs has grown from zero in 2009 to 56 — involving over 113 million records — last year, the report says.
While HHS has guidance on HIPAA privacy rules and compliance by covered entities, it doesn’t clarify how entities should tailor implementation of key security controls to their specific needs, the GAO says. To strengthen guidance and oversight of health information security, the report recommends HHS:
- Update its guidance to ensure it addresses implementation of controls described in the National Institute of Standards and Technology’s Cybersecurity Framework;
- Update technical advice for covered entities regarding security concerns;
- Ensure there is regular follow-up on implementation of corrective actions;
- Set performance measures for the Office for Civil Rights (OCR) audit program; and
- Create a pathway for OCR and the Centers for Medicare & Medicaid Services to share the results of HIPAA-related audits and investigations.
The GAO initiated the study at the request of Sen. Lamar Alexander (R-TN) and Sen. Patty Murray (D-WA), chairman and ranking member, respectively, of the Senate Health, Education, Labor and Pensions Committee.
The report comes as hospitals are reeling from a string of cybersecurity failures this year. Last month, Bon Secours Health System notified more than 650,000 patients that their personal information may have been breached. Also in August, Banner Health reported that hackers may have accessed payment data for 3.7 million individuals through point-of-sale systems at affiliated food vendors.
It follows a broader analysis of cybersecurity across federal agencies released earlier this month by the GAO. That report showed a 1,300% increase in cyber incidents government-wide between 2006 and 2015 — from about 5,500 to more than 77,000.