Friday, March 24, 2006

Red flags for confidentiality at CMS

The Government Accountability Office (GAO) has released a new report (PDF file) on cybersecurity for the U.S. Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) that says the agencies do a poor job of guarding the security of its clients' online health records. An excerpt from the abstract (formatting applied):

HHS and CMS have significant weaknesses in controls designed to protect the confidentiality, integrity, and availability of their sensitive information and information systems. HHS computer networks and systems have numerous electronic access control vulnerabilities related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security-related events. In addition, weaknesses exist in other types of controls designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software. All of these weaknesses increase the risk that unauthorized individuals can gain access to HHS information systems and inadvertently or deliberately disclose, modify, or destroy the sensitive data that the department relies on to deliver its vital services. A key reason for these control weaknesses is that the department has not yet fully implemented a departmentwide information security program. While HHS has laid the foundation for such a program by developing and documenting policies and procedures, the department has not yet fully implemented key elements of its information security program at all of its operating divisions. Specifically, HHS and its operating divisions have not fully implemented elements related to

  1. risk assessments,
  2. policies and procedures,
  3. security plans,
  4. security awareness and training,
  5. tests and evaluations of control effectiveness,
  6. remedial actions,
  7. incident handling, and
  8. continuity of operations plans.

Until HHS fully implements a comprehensive information security program, security controls may remain inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and controls may be inconsistently applied. Such conditions may lead to insufficient protection of sensitive or critical resources and disproportionately high expenditures for controls over low-risk resources.

USA Today puts it a little more bluntly:

Investigators for the GAO reviewed management and audit reports from 2004 and 2005 that outline security practices at 13 HHS divisions and found:

  • Anti-virus software not installed or up to date.
  • Lack of adequate control over computer passwords.
  • Employees and contractors serving without background checks.
  • Inadequate physical controls to prevent spying or theft, such as non-working surveillance cameras and unrestricted access to a data center.
Confidentiality and the lack thereof are critical factors in the lives of people with HIV/AIDS. That these major providers of essential medications and health care services could fail to carry out critical steps in maintaining confidentiality is appalling. Makes you wonder what HIPAA was all about.

No comments: