GAO Report On Privacy And Security: A Wake-Up Call For HHS?

Latest cyber-attacks show it’s time to mandate adoption of identity management, cybersecurity practices to better protect PHI.

By Michael Magrath, Director of Business Development, Healthcare, VASCO Data Security

The cyber-attacks that have hit healthcare organizations throughout the year were made all but inevitable by the gaping data security holes in U.S. healthcare information management policies. It is no secret that HHS swept security and authentication under the rug during the rollout of EHRs, so as to not to impede providers’ adoption of electronic records by making them difficult to use.

That now-outdated intent to shield smaller and single-physician practices from responsible security practices was the key reason that HITECH, when first drafted, excluded provisions to protect the identities and confidential data of those at the center of the move towards EHR: 300 million or so U.S. patients.

As a result, the current minimum requirements for identity assurance are set dangerously low, requiring only a strong password – a 50-year-old approach that has time and again proven to serve as no meaningful impediment to hackers. The reality is HHS has been playing Russian roulette, hoping security breaches would not occur due to weak username and static password authentication. Putting convenience ahead of security has already led to breaches impacting millions of lives and has made obvious the risks of our continued reliance on easily compromised passwords as a security strategy.

The title of the new report by the Government Accountability Office (GAO) to the U.S. Senate’s Committee on Health, Education, Labor and Pensions tells the story: HHS Needs to Strengthen Security and Privacy Guidance and Oversight. The report’s first paragraph makes the point that:

“…systems storing and transmitting health information in electronic form are vulnerable to cyber-based threats. The resulting breaches — involving over 113 million records in 2015 — can have serious adverse impacts such as identity theft, fraud, and disruption of healthcare services and their number has increased steadily in recent years…”

As Chair of the HIMSS Identity Management Task Force, I’ve been immersed in identity management and the security side of health IT. Nothing in the report surprises me. The report underscores that the core problem — the uptick in hacking and other inadvertent leak incidents — is a symptom and result of HHS’ shortcomings in securing our healthcare system.

We are at a point where HHS needs to wake up and realize the seriousness of the current security gap, especially since this isn’t the first wake-up call that’s been issued. Our healthcare system is one of the 16 critical infrastructure sectors defined in 2013’s Presidential Policy Directive 21. The Directive includes many provisions, one of which tasked NIST to develop a Cybersecurity Framework. Although conforming to NIST’s Cybersecurity Framework is voluntary, its core set of security controls represents a consensus of topics to consider when developing information security programs. The Framework includes 98 subcategories.

HHS’ Office of Civil Rights (OCR) proactively developed a “crosswalk toolkit” that mapped 2003’s HIPAA Security Rule to the 2014 Cybersecurity Framework to show how organizations’ existing HIPAA compliance efforts fit into the Framework. GAO points out that, “of the 98 framework subcategories, the toolkit fully addresses only 19. Many of the specific controls detailed within the framework’s 98 subcategories are not addressed in either the HHS security assessment guidance or in its other risk management guidance.” If you are a baseball fan, 19 for 98 is below the Mendoza Line, batting .194.

Over the years HHS, has released several non-specific guidance documents, but all are weak and without mandates for actual identity management and the authentication of entities accessing protected health information — the foundation elements to protect PII and PHI. HHS guidance documents typically include words like “may” and “should,” but rarely include words like “shall” or “must,” especially when it comes to identity management and the authentication of users accessing PHI.

The GAO report makes plain the security risks of resulting from such vague guidance. It states: “The guidance published by HHS does not address all of the elements in the NIST guidance. HHS officials said they intended their guidance to be minimally prescriptive to allow flexible implementation by a wide variety of covered entities. However, until these entities address all the elements of the NIST Cybersecurity Framework, their EHR systems and data are likely to remain unnecessarily exposed to security threats.”

The GAO provides five recommendations for executive action. The first two are most notable:

1.Update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the NIST Cybersecurity Framework.

2.Update technical assistance that is provided to covered entities and business associates to address technical security concerns.

HHS can no longer stick its head in the sand and hope this cyberwar will just go away, nor can it ignore the human impacts. A year’s credit monitoring isn’t especially meaningful or helpful to a patient whose PII may well be offered on the dark web for years to come. And if we lose the cooperation of increasingly cyber-skittish patient populations — who are informed by a seemingly steady drumbeat of security breach news — then cooperation and participation in public health initiatives becomes more of a question than it ever needs to be. The new reality is patients increasingly view the few extra steps and seconds required for identity authentication as advantageous, not inconvenient.

The GAO’s recommendations need to be adopted in order to urge HHS to update the 13 year-old HIPAA Security Rule, so that it maps to the identity proofing and multi-factor authentication milestones included in ONC’s 2015 Shared Nationwide Interoperability Roadmap and NIST’s Cybersecurity Framework. It is my hope that HHS will collaborate with organizations like the HIMSS Identity Management Task Force, the HIMSS Privacy & Security Committee and the Identity Ecosystem Steering Group.

Find out more on identity proofing and multi-factor authentication in a complimentary white paper on securing data access within the healthcare industry.