OIG: HHS Needs to Push Secure Health Data ExchangeReport Outlines HHS Management, Performance Challenges
Now that electronic health records have been widely adopted, the Department of Health and Human Services must do more to promote the exchange of complete, accurate and timely information, subject to appropriate privacy and security safeguards, according to a new federal watchdog report.
In its report, the HHS Office of Inspector General identifies 10 top management and performance challenges facing HHS as it strives to fulfill its mission "to enhance the health and well-being of Americans by providing effective health and human services and by fostering sound, sustained advances in the sciences underlying medicine, public health and social services."
OIG also acknowledges: "In this presidential transition year, HHS must address these challenges while undertaking the additional important responsibility of conducting a well-orchestrated transition to new leadership. ... The transition will require heightened focus on effective coordination across HHS operating divisions, continuity of operations and emergency preparedness. This transition must be accomplished while maintaining and strengthening HHS's many complex programs and protecting and serving its beneficiaries."
Secure Health Data
OIG explains that "health IT and the meaningful and secure use of electronic information" is a top 10 challenge for HHS because it maintains and uses expanding amounts of sensitive information. "Complete, accurate, and timely data can help ensure efficient operations of HHS and its programs, as well as support proactive program oversight," the report notes.
Similarly, the nation's healthcare system increasingly relies on health IT and the electronic exchange and use of health information, OIG writes.
"Health IT, including electronic health records, offers opportunities for improved patient care, more efficient practice management, and improved overall public health," OIG writes. "However, HHS continues to face a number of significant challenges in this information-rich environment."
Breaking Down the Challenges
OIG breaks down the challenges related to the meaningful and secure exchange of health information into three key components:
- Maintaining the security of health data. HHS must, for example, ensure appropriate data protections when implementing policies related to the adoption of health IT and the exchange, storage and use of electronic health information. "The rapid pace at which technology evolves, the continuing expansion of the internet of things - including networked medical devices - and the rise of mobile health technology contribute to the complexity of the privacy and security challenges facing HHS."
- Improving the flow of complete, accurate and timely information. There must be meaningful access, subject to appropriate privacy and security safeguards, to complete, accurate and timely data, where and when it's needed, OIG writes. "However, enabling and encouraging the flow of information remains a challenge for HHS. Several factors may impede the flow of information. These include technical barriers - for example, lack of [EHR] interoperability, the complex nature of federal and state privacy and security laws, financial considerations - such as the cost of health IT acquisition - and behavioral issues - such as information blocking and consumer confidence - that relate to a willingness to share information."
- Delivering on the promise of health IT. HHS faces challenges in ensuring that the goals associated with investing in the widespread adoption and use of EHRs are fulfilled, OIG notes. These challenges include, for example, ensuring that the beneficial characteristics of EHRs, including efficiency and ease of storage and access, are not used as tools for fraud.
Addressing Emerging Threats
OIG also calls on HHS to take action to help healthcare organizations address emerging security threats.
"Threats to information privacy and security are evolving, as evidenced by the recent rise of ransomware, and HHS must remain vigilant," OIG writes. For instance, HHS must make sure organizations complete HIPAA-required contingency planning for EHRs to prevent and mitigate disruptions caused by ransomware and other threats, OIG notes.
To achieve goals identified in the Office of the National Coordinator for Health IT's 10-year interoperability roadmap and those associated with the Obama administration's Precision Medicine Initiative, HHS must do more to improve the secure flow of complete, accurate and timely information, OIG notes.
"This includes ensuring that HHS's data systems are developed and operated in a way that delivers complete, accurate and timely data," OIG writes. "HHS must also find ways to remove potential barriers to leveraging health IT and related data to advance public health initiatives and to facilitate sharing and use of information along the entire continuum of care - beyond just those who are eligible for EHR incentives."
OIG also notes that HHS should issue additional guidance and technical assistance to address EHR adoption, meaningful use, interoperability barriers and program integrity safeguards. "It is also essential that privacy, security and fraud prevention remain at the forefront of health IT efforts of HHS," OIG writes.
Experts Weigh In
The OIG report reflects the "enormous challenges of achieving the ultimate goals of health IT - indeed realizing the very vision of the HITECH Act of 2009," says Dan Berger, CEO of security consultancy Redspin, making reference to the law that provided billions of dollars in financial incentives for the use of EHRs.
"I've said for years that the success of the electronic health record initiative is the foundational element of lowering costs, shifting to value-based care and ultimately improving patient outcomes. What has been underestimated to date is the inherent difficulty of achieving acceptable standards of privacy and security while at the same time increasing accessibility and interoperability," he says.
"In other words, we need patient data to be readily available to every authorized user while at the same time imposing stringent safeguards to protect the information. There is inherent tension between these two objectives - it's the crux of the problem."
Addressing this problem, Berger says, will require collaboration among healthcare providers, payers, regulators and technology vendors.
Although healthcare is trying to catch up on implementing security practices and technology, the industry is still far behind some other sectors, including the financial services industry, says Keith Fricke, partner and principle consultant at tw-Security. "This is because the financial sector has always had information of interest to criminals. In more recent times, criminals have turned an eye toward stealing patient information for financial gain. Continued cyber education and awareness of workers in the healthcare industry is a necessity."
As for whether President-elect Trump's administration will have a significant impact on HHS' privacy and security policies, the jury is still out, Fricke says.
"It is hard to say anything about the impact the Trump administration will have - good or bad, - because the president-elect has a large list of items to address when he takes office - privacy and security being only one of those many things," he says.