GAO: HHS Has Not Implemented Critical Cyber RecommendationsReport Spotlights Cybersecurity Shortcomings
Over the last four years, the Government Accountability Office has made hundreds of recommendations to the Department of Health and Human Services for improving its operations that have not been implemented.
"The nation's critical infrastructure provides the essential services - including healthcare - that underpin American society. The infrastructure relies extensively on computerized systems and electronic data to support its missions," GAO writes. "However, serious cybersecurity threats to the infrastructure continue to grow and represent a significant national security challenge. Additionally, recent data breaches have highlighted the importance of ensuring the security of health information, including Medicare beneficiary data."
Such critical data is created, stored, and used by a wide variety of entities, such as healthcare providers, insurance companies, financial institutions, researchers and others, GAO notes.
"The four open priority recommendations within this area outline steps to ensure HHS can effectively monitor the effect of electronic health records programs and progress made toward goals; encourage adoption of important cybersecurity processes and procedures among healthcare entities; protect Medicare beneficiary data accessed by external entities; and ensure progress is made toward the implementation of IT enhancements needed to establish the electronic public health situation awareness network."
For example, GAO notes that in March 2018, it recommended that the administrator of the Centers for Medicare and Medicaid Services develop processes and procedures to ensure that certain external entities, including organizations that use claims data to evaluate the performance of Medicare service providers and equipment suppliers, have effectively implemented information security controls.
"CMS will be engaging a contractor to review the current data security framework and make recommendations on specific controls and implementation requirements that would be appropriate for those entities," GAO notes. To fully implement this recommendation, however, CMS needs to develop appropriate processes and procedures for implementing these controls, GAO adds.
GAO also made three other high-priority recommendations involving health information technology and cybersecurity issues that HHS has not yet unimplemented.
Critical infrastructure protection: GAO in 2018 recommended that HHS, in cooperation with the Secretary of Agriculture, take steps to consult with partners, such as the Department of Homeland Security and the National Institute of Standards and Technology, to develop methods for determining the level and type of cybersecurity framework adoption by entities in each sector.
In its latest report, GAO notes that HHS is still working to identify applicable methods for determining the level and type of framework adoption across the healthcare and public health sectors.
Electronic health record programs: GAO notes that industry participation in the HITECH Act "meaningful use" EHR incentive program (now called the "Promoting Interoperability" program) has increased, but action is needed by HHS to achieve goals, including improved quality of care. The program requires meeting certain data security requirements.
Back in 2014, GAO recommended that HHS develop performance measures to assess the outcomes of the EHR programs. That includes any effects on healthcare quality, efficiency and patient safety.
"HHS provided a variety of publicly available reports, which the department indicated showed how program participants were progressing in the EHR programs and the related impacts. However, in reviewing those materials, we did not see evidence that HHS had developed outcome-oriented performance measures that align with the intended outcomes of the EHR programs."
To fully implement this recommendation, GAO says HHS needs to develop performance measures that enable the agency to assess whether the "Promoting Interoperability" program is improving outcomes.
Public health IT: GAO says HHS has made little progress toward implementing enhanced national public health situational awareness network capabilities that would enable officials to access real-time information about emerging health threats to make timely decisions in emergencies.
The watchdog agency notes that in 2017, it recommended to HHS that it should conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance.
Mac McMillan, CEO of security consulting firm CynergisTek, says it's especially important for HHS to implement GAO's cybersecurity framework recommendations.
"Ensuring the adoption of a common framework that meets the needs of today's threat environment is critical to the successful achievement of interoperability, information integrity and availability and the ability to meet situational awareness and other programmatic goals," McMillan says. "Without a solid foundation based on a common framework, establishing the trust relationships that are necessary to data sharing are very hard to imagine let alone achieve."
Susan Lucci, senior privacy and security consultant at tw-Security, notes that the HITECH Act meaningful use program criteria were designed to encourage providers to capture information that could potentially improve quality and outcomes. That data must be kept private, as well as accessible to patients, to ensure HIPAA compliance.
"Patient portals have been deployed to allow individuals to obtain their health information. The goal was to empower the patient with information to help them make informed decisions about their care. Participation and utilization is still not optimal," she notes.
"Complaints continue to be made with the HHS Office for Civil Rights about denial of access to records. So clearly, we have a problem that needs to be resolved," she notes.