Mobile Healthcare Today's Editor's Blog is a place for our editorial staff - and valued industry professionals - to provide their commentary regarding the latest developments. The opinions of our guest bloggers may not reflect the sentiments of MHCT.

Audits Underline HC Security Crisis

By Richard Martin Comments

Our digital issue on “Security and Privacy in the Mobile Healthcare Space," which went up last week, and our three-part Security Roundtable with seven leading security and privacy experts, which appeared this week, could not have been better timed. The scathing reports from the Dept. of Health and Human Services’ Inspector General’s office (OIG) make it clear that the problems are, if anything, worse than previously realized. “Crisis" is not too strong a word.

The OIG released two reports simultaneously, one on the Centers for Medicare & Medicaid Services (CMS) and one on the Office of the National Coordinator for Health IT (ONC). The CMS report audited security controls at seven “covered entities" under HIPAA and found that “CMS had limited assurance that controls were in place and operating as intended to protect electronic personal health information, thereby leaving electronic personal health information vulnerable to attack and compromise." The audits listed a total of 151 vulnerabilities in the hospitals’ electronic personal health information systems.

Keep in mind, this is 15 years after Congress passed HIPAA,  which includes specific rules for EMRs. The rush to roll out EMRs in order to qualify for federal “meaningful use" funding is clearly producing an unacceptable security and privacy situation.

The ONC report, if anything, is even more damning. Its central conclusion is that, in its interoperability standards for health information technology infrastructure, the ONC has included “no HIT standards that included general information IT security controls." Those controls would apply most particularly to mobile devices and networks, such as data encryption on mobile devices, two-factor authentication for remote access to healthcare organizations’ networks, and so on.

To repeat, the OIG didn’t find that the security controls in the interoperability standards promulgated by the ONC were insufficient; it found that there weren’t any.

“The OIG is saying to HHS that all these entities have bad security, they’re basically vulnerable," security expert Rebecca Herold, author of The Practical Guide to HIPAA Privacy and Security Compliance, told me. “The reports really underline the need for organizations under HIPAA and HITECH to get going on compliance if they haven’t done so."

On June 22nd I’ll be hosting a Webinar with Herold on “10 Risk-Reducing Actions for Mobile HIPPA/HITECH Compliance." Again, the timing couldn’t be better.


comments powered by Disqus