OIG to Review Medical Device SecurityInspector General Also Will Scrutinize HealthCare.Gov
The HHS Office of Inspector General plans to scrutinize a number of security-related activities in the healthcare sector in fiscal 2014, including reviewing whether hospitals' security controls over networked medical devices are sufficient to effectively protect patients' information.
The recently released Fiscal Year 2014 HHS OIG Work Plan includes a host of security audit, review and oversight activities planned by the Department of Health and Human Service's watchdog agency in fiscal 2014, which ends Sept. 30.
Besides reviewing medical device security practices of hospitals, other OIG activities planned for 2014 include reviewing security related to the Affordable Care Act's HealthCare.gov systems; review of security and privacy compliance by healthcare organizations participating in the HITECH Act electronic health records incentive program; and reviewing the HHS' Office for Civil Rights' oversight of HIPAA compliance by healthcare entities.
OIG's new activities planned around medical device security are critical, say some security and privacy experts.
"Medical device information security is an important area, and this may be the OIG activity that has the largest impact, says attorney Adam Greene of the law firm Davis Wright Tremaine. "OIG's findings in this area will bring more attention to this problem and could spur HHS and other regulators to increase their focus on this issue. It will be interesting to see if OIG addresses what role the different agencies, such as FDA [Food and Drug Administration] and the Office for Civil Rights, should have in improving device security."
Additional attention to medical device security can't come quickly enough, says Mac McMillan, CEO of security consulting firm CynergisTek.
Medical device security "is a problem that we need to solve before someone gets hurts," McMillan says. "Everyone in the system knows these devices are not secure, yet we, as an industry, have not been able to fix the problem. The FDA has provided some helpful guidance here regarding security considerations for these devices. If the OIG just uses that as its audit criteria for measurement, they will amass a mountain of data and shine another light on this issue. Our providers want more secure devices; they're just not seeing them."
Hospital Medical Device Audits
An OIG spokesman says that while details of OIG's medical device reviews plans are not yet finalized, it's likely that OIG's audit unit will conduct reviews of some hospitals' medical device security controls.
The work plan says OIG "will determine whether hospitals' security controls over networked medical devices are sufficient to effectively protect associated electronic protected health information - ePHI - and ensure beneficiary safety.
The plan continues: "Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records and the larger health network, pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient's medical status and transmit and receive related data using wired or wireless communications."
Other OIG oversight activities related to health data security and privacy planned for fiscal 2014 include:
- Review of whether information security controls for CMS's web infrastructure, which hosts the federally facilitated marketplace of health insurance exchanges under the Affordable Care Act, have been implemented in accordance with CMS information security standards, recognized industry best practices and federal information security standards. OIG will also conduct "a vulnerability scan of the HealthCare.gov website using an automated tool that seeks to identify known security vulnerabilities and discover possible methods of attack that can lead to unauthorized access or the exfiltration of data."
- Audits of covered entities receiving HITECH Act EHR incentive payments from the Centers of Medicare and Medicaid Services, as well and their business associates, such as cloud vendors offering EHRs, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology;
- Review of OCR's oversight of covered entities' compliance with the HIPAA privacy and breach notification rules;
- Review of security controls implemented by Medicare and Medicaid contractors and at hospitals to prevent the loss of PHI stored on portable devices and media, such as laptops, jump drives, backup tapes and equipment considered for disposal;
Among activities not listed on the OIG work plan that should've been considered is a more intensive review of healthcare entities' overall health data security activities, says McMillan, the consultant.
"One important aspect that they could look at that would speak volumes to commitment to compliance would be something as simple as how many healthcare organizations have a qualified information security person leading their HIPAA security program, with the resources they need to execute effectively, and where that individual is placed within the organization as it relates to their ability to affect change or insure that security is an organizational priority," he says.
Still, scrutiny by OIG isn't a guarantee for more successful security compliance, says Greene, the attorney.
"OIG audits are very effective at finding information security problems, but ultimately have very limited impact," he says. For example, previous reports have found widespread information security problems and have called for HHS to expand its use of proactive audits. "Such OIG reports were part of the reason the HITECH Act included a requirement for OCR to perform periodic [HIPAA compliance] audits," he says. "However, there are no appropriations that go with OIG recommendations.
"OIG is likely to recommend a greater amount of auditing of health data security, but agencies such as OCR do not necessarily have the funds to implement such recommendations," Greene notes.