On May 16, the HHS Office of Inspector General (OIG) issued two important reports on health data security. The reports draw attention to security problems in the health care industry that have persisted for years and shine a bright spotlight on the urgent need for regulators to more aggressively and effectively address these issues. While the OIG reports are not the first to point out the lack of consistent, strong security protections for health data, hopefully the reports will make data security a more urgent priority for HHS. There are, however, a couple of points the OIG reports appeared to miss, including what may be at the root of the problem: the lack of a coordinated and well-executed data security strategy among HHS agencies.
Reports Notes Gaps In Health Data Security
One OIG report described data security audits of seven hospitals. This report found a large number of high impact vulnerabilities in the systems the hospitals used to protect digital health information. These vulnerabilities included ineffective encryption for wireless networks and portable devices, unlocked rooms containing backups of patient data, and a failure to monitor computers and servers for known threats to patient data. The report emphasized that these problems placed the confidentiality, integrity and availability of patients’ electronic health information at significant risk. The report concluded that the HHS Office of Civil Rights (OCR) needed to initiate more compliance reviews to ensure providers are properly protecting health information.
The second OIG report evaluated the security standards the HHS Office of the National Coordinator (ONC) established for electronic health records. This report gave credit to ONC for establishing security controls for health IT applications, like electronic health records (EHRs) through interoperability specifications. These interoperability specifications were incorporated into the EHR certification process and included such requirements as encryption of transmissions between EHR systems, access controls, audit logging and entity authentication. The OIG report criticized ONC for not requiring general security standards for health care providers’ overall operating environment. The report specifically noted that ONC did not require encryption for portable devices, two-factor authentication for remote access to an HIT system or security patches of providers’ computer operating systems. The report concluded that ONC should branch out from interoperability specifications for EHRs to include data security requirements for providers’ overall computer operations, networks and infrastructures.
Fixing the serious data security problems afflicting the health care system will require coordinated and focused action among several government agencies, particularly ONC, OCR and the Centers for Medicare and Medicaid Services (CMS). The reports acknowledge that responsibility for health data security is vested in a number of agencies, and the reports recommend that ONC coordinate its work with CMS and OCR where applicable. Unfortunately, these points are buried and not given weight proportionate to the scale of the problem. The failure to have a comprehensive, coordinated strategy is at the root of the issues raised in the report.
ONC’s authority is generally limited to setting the criteria for certified EHR technology – the application controls that OIG gives ONC credit for having established. For the most part, EHR vendors seek certification for their products, but there is no current requirement that ONC “certify” providers’ overall data environments or grant authority that would enable ONC to hold providers accountable for implementing an end-to-end security program. The OIG report seems to suggest that ONC draw authority from passages of the Recovery Act that require the National Coordinator to “perform [his or her] duties… in a manner that… allows for electronic use and exchange of information that… ensures that each patient’s health information is secured and protected, in accordance with applicable law.” Although ONC’s standard-setting and coordinating functions are crucial, ONC does not have sufficient authority or enforcement tools from Congress to address all of the issues identified by the OIG. Any push aimed at fixing security problems throughout the entire health care sector will require proactive, sustained cooperation from CMS and OCR.
CMS no longer has any direct HIPAA implementation obligations, but they control the criteria for the federal meaningful use program through which health care providers receive incentives for EHR adoption. However, CMS has thus far been reluctant to use the meaningful use criteria as a means to push the health care industry to adopt and implement comprehensive privacy and security protections. In fact, CMS rejected a recommendation from the Health IT Policy Committee to disqualify a provider from meaningful use in any year in which they were fined for a significant (willful neglect or criminal) HIPAA violation. To resolve the systemic security issues described in the OIG reports, CMS will need to take a tougher stance in the meaningful use criteria related to data security.
The Office of Civil Rights is responsible for assuring appropriate implementation of the HIPAA Security Rule, which encompasses enterprise security of electronic protected health information. However, the Security Rule gives providers a great deal of flexibility with respect to implementation, and OCR does not consistently update the rule with guidance that reflects new threats and new demands on IT security infrastructure. OCR also has a history of lackluster enforcement of the Security Rule, although this appears to be changing as of late. OCR will need to work closely with providers to ensure they understand the threat environment and the specific security solutions necessary to safeguard health data in their systems – and then OCR must back up its work with security audits that are not always in response to patient complaints.
Complex Problems In Need Of Multifaceted Solutions
Data security is a critical element of a trusted digital health environment. It’s positive that the OIG reports bring additional attention to the extensive security problems in the health care system. However, to effectively resolve systemic data security issues, HHS’ course of action will have to be more comprehensive than the more spotty solutions the OIG reports recommend. More unprompted compliance audits from OCR and more guidance and general standards from both OCR and ONC are a good start, but a more aggressive approach would be for HHS’ agencies to collectively evaluate each of the policy tools at their disposal and identify and implement specific measures that hold providers accountable for implementing strong security policy and technical safeguards. Ensuring end-to-end data security among diverse health care organizations raises numerous practical barriers, of course – but inadequate coordination among federal agencies or their failure to maximize use of existing policy authorities shouldn’t be among them.