Skip to content
DWT logo
People Expertise Insights
About Locations Careers
Search
People
Expertise
Insights
About
Locations
Careers
Search
Advisories
Healthcare

Turning Up the Heat: OIG Reports Highlight Security Vulnerabilities and Lack of HHS Oversight

By  Adam H. Greene* and Rebecca L. Williams
05.19.11
Share
Print this page

On May 16, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued two reports critical of the HHS’ efforts to ensure the security of electronic health information. The first report criticized the Centers for Medicare & Medicaid Services (CMS) for its prior oversight of the HIPAA Security Rule. The second report criticized the Office of the National Coordinator for Health Information Technology (ONC) for insufficiently building security into the requirements for certified electronic health records.

These reports demonstrate that there is significant pressure on ONC, the Office for Civil Rights (OCR), and CMS to build more stringent security controls into health information technology (IT) systems, and that a number of specific vulnerabilities have been highlighted. Covered entities and business associates may be well served to use these reports to proactively assess their own systems for these high-impact vulnerabilities. We provide a vulnerability checklist at the end of this alert to assist organizations in conducting their own risk analyses.

OIG criticizes lack of government oversight

Privacy advocates, the HIT Policy Committee’s Privacy and Security Tiger Team, and members of Congress already have expressed concern with HHS over a perceived lack of emphasis on health information security. These two reports add another voice, this time from HHS’ own watchdog, to this chorus. They also provide the health care community with information about potential vulnerabilities and raise the probability of heightened HIPAA security enforcement (such as through the upcoming audit program) and more stringent security requirements for electronic health records.

The OIG’s report on oversight of the HIPAA Security Rule concluded that CMS’ oversight and enforcement actions were insufficient to ensure that covered entities, such as hospitals, physician practices, and health plans, effectively implemented the Security Rule, leaving electronic protected health information (ePHI) vulnerable to attack and compromise.

After auditing seven hospitals located across the country, the OIG identified 151 vulnerabilities in systems and controls intended to protect ePHI, of which the OIG categorized 124 vulnerabilities as high impact. The identified high-impact vulnerabilities included problems with technical safeguards (wireless network access, access control, audit control, integrity control, authentication, and transmission security), physical safeguards (facility access and device and media control), and administrative safeguards (security management, workforce security, security incident procedures, and contingency planning).

OIG calls for proactive compliance audits

The OIG’s recommendation is for OCR, which now has authority for enforcement of the Security Rule, to continue CMS’ most recent efforts by conducting proactive compliance reviews (rather than launching investigations based only on complaints or media reports). The OIG’s recommendation also is consistent with the mandate for proactive audits under the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). OCR is in the process of launching an audit program pursuant to a requirement of the HITECH Act. Based on recent OCR statements, a pilot audit program is expected later this year. The OIG recommendation begs the question of whether the vulnerabilities identified by the OIG will be included in OCR’s upcoming audit efforts.

OIG recommends expanded EHR security standards

The OIG’s report on ONC’s security effort primarily focused on the standards and certification criteria for electronic health records (EHRs). After reviewing these standards, which ONC promulgated as part of the meaningful use program, the OIG criticized ONC for including only application-specific IT security standards, rather than general IT security standards. The OIG expressed concern that application-specific security controls can be bypassed due to a lack of general security controls.

For example, while ONC’s standards address encryption of transmissions between systems, the OIG criticized ONC for not including standards requiring encryption of data stored on mobile devices, two-factor authentication for systems containing electronic health information, and the regular updating of operating systems. The report recommends that ONC broaden its standards to include general IT security controls, use its leadership role to promote IT security best practices, emphasize to the health care community the importance of general IT security, and coordinate with CMS and OCR.

The OIG report on ONC’s security efforts appears to miss the mark in one significant way. ONC’s EHR standards are the foundation of ONC’s certification program for EHR software. During this process, ONC-authorized testing and certification bodies review EHR software to ensure that it satisfies ONC’s standards. Because the certification process is limited to EHR software (it does not evaluate the general IT environment where the EHR technology would be installed), it is unclear how the certification bodies could certify general IT controls as recommended by the OIG.

Checklist: security risks

The following is a detailed checklist of these vulnerabilities to assist covered entities and business associates with assessing their own systems for the identified high-impact vulnerabilities.

Identified Vulnerability
Addressed?
Wireless Access
 
Ineffective encryption
 
No firewall separating wireless from wired network
 
Broadcasted service set identifiers (SSIDs) from access points (allowing unauthorized users to identify and potentially access the network)
 
No authentication required to access wireless network
 
Inability to detect devices intruding on the wireless network
 
No procedure for continuously monitoring the wireless network
 
 
 
Access Control
 
Inadequate password settings
 
No auto-logoff after period of inactivity
 
Unencrypted laptops containing ePHI
 
Excessive access to root folders
 
 
 
Audit Control
 
Audit logging disabled
 
Failure to review operating system and application audit logs (manually or through automatic tools)
 
 
 
Integrity Control
 
Uninstalled critical security patches
 
Outdated antivirus updates
 
Operating systems no longer supported by manufacturer
 
Unrestricted Internet access
 
 
 
Person or Entity Authentication
 
Inappropriate sharing of administrator accounts
 
Unchanged default user identifiers and passwords
 
 
 
Transmission Security
 
Inappropriate plain text remote administration tools (e.g., Simple Network Management Protocol version 1 and the Telnet protocol)
 
No email encryption
 
Unsecure switch port connections
 
Unnecessary and unsecure network services
 
 
 
Facility Access Control
 
Unsecured access to data center and backup room
 
 
 
Device and Media Controls
 
No inventory system tracking computers containing ePHI
 
No documented plan for or evidence of removal of ePHI from media before disposal
 
No password protection for computers on portable carts
 
No encryption of backup tapes containing ePHI
 
 
 
Security Management Process
 
Incomplete risk assessment of systems that create, receive, maintain, or transmit ePHI
 
No policies or procedures for risk analysis
 
 
 
Workforce Security
 
Employee accounts with inappropriate levels of access to network and ePHI
 
Failure to timely terminate user accounts after employee termination
 
 
 
Security Incident Procedures
 
Lack of procedures to identify, respond to, or document actions taken in response to security incidents
 
 
 
Contingency Plan
 
Incomplete contingency plan
 
Incomplete disaster recovery plan
 
Unsafe storage of backup tapes
 

* Davis Wright Tremaine welcomes Adam Greene to our health information technology/HIPAA practice.  Adam comes to us from the federal Office for Civil Rights. He is a 12-year health law veteran and was a key regulator at the U.S. Department of Health and Human Services agency responsible for HIPAA enforcement. For more information on Adam, please see our press release.

Related Articles

DWT logo
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
NAVIGATE
Home People Expertise Insights
About Locations Careers Events Blogs
STAY CONNECTED

Subscribe to stay informed.

Subscribe
Employees
DWT Collaborate
EEO
Affiliations
Legal notices
Privacy policy
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
Close
Close

CAUTION - Before you proceed, please note: By clicking “accept” you agree that our review of the information contained in your e-mail and any attachments will not create an attorney-client relationship, and will not prevent any lawyer in our firm from representing a party in any matter where that information is relevant, even if you submitted the information in good faith to retain us.