The recently released “scathing” report from the Government Accountability Office (GAO) provides an insight on health information technology threats and cyber security preparedness. GAO reported that many investigations lead by the Department of Health and Human Services resulted in technical advice, which may not be relevant or applicable to the agency. In addition to that, GAO claimed that HHS did not follow up the investigation in majority of the cases, neither did they check whether corrective measures were implemented or not.
According to the report, the current guidelines set by HHS in order to secure health information are not capable of protecting the health providers from the increased cyber-based threats. Founder of the World Privacy Forum, Pam Dixon said, “Finally, for the first time that I know of there’s an official document saying that the insider threat is the most significant threat.” World Privacy Forum is a nonprofit organization, based on San Diego, which tracks the security issues and privacy of the patients.
Chairman Sen. Lamar Alexander (R-Tenn.) and the ranking member, Sen. Patty Murray (D-Wash.), of the Senate Health, Education, Labor, and Pensions Committee has shown great interest in the federal health IT policy. The legislators had also requested for the GAO report. Officials in the health agency had earlier submitted a report on the cyber security across the federal government, which indicated an enormous increase in cyber attacks on federal government agencies in the past couple of years.
HHS Office for Civil Rights started to report medical record breaches involving 500 individuals publicly on their “wall of shame” website since September 2009. Approximately 1,667 large medical breaches have been published on this list. However, this estimate indicates that the cyber attackers were able to breach the medical records of more than half of the U.S. citizens.
Reports also indicate that 13.3 percent of all the medical breaches were credited as just hacking incidents. However, many of these medical breaches were huge and approximately 75% of medical records were exposed.
Dixon said that the GAO report reveals that HHS is not giving adequate guidance to the health care providers about cyber security and its risks. He added that HHS is also not trying to solve the issue with HIPAA-required risk assessments. Commenting on the GAO report, Dixon said that, “They want HHS to greatly expand their technical guidance. There’s really not a good way to look at the audits and see if they are effective.”