Taken together, two recent announcements from the U.S. Department of Health and Human Services (HHS) highlight the need for state and local governments (and others who collect and maintain patient information) to regularly review their policies, procedures and safeguards for protecting patient information under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
First, on March 5, 2014, the HHS Office of Inspector General (OIG) issued an audit report regarding High-Risk Security Vulnerabilities Identified During Reviews of Information Technology General Controls at State Medicaid Agencies that summarizes a series of serious cybersecurity lapses found during audits of 10 state Medicaid Management Information Systems (MMIS) performed between 2010 and 2012 (report at available at this link).
Second, on March 7, 2014, the HHS Office for Civil Rights (OCR) announced that Skagit County, Washington, has agreed to a $215,000 monetary settlement and corrective action plan related to apparent lapses in protecting the privacy and security of patient information. The Skagit County Public Health Department provides essential health care services to needy individuals in the 118,000 person county. As OCR stated, this “case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size” (announcement and Resolution Agreement available at this link).
Both these events reiterate the need for state and local government agencies that handle patient data – specifically, “protected health information (PHI)” under the HIPAA/HITECH regulations – to perform regular risk assessments and ensure that proper administrative, physical, and technical safeguards are in place and working. In the Skagit County case, an OCR investigation commenced after the county reported a data breach involving several individuals’ information that was inadvertently exposed on, and accessed from, a publicly (Internet) accessible server. The ensuing review found that information regarding some 1,581 individuals had been placed at risk, including sensitive data regarding testing and treatment for infectious diseases, and what OCR characterized as “widespread non-compliance” with the HIPAA Privacy, Security, and Breach Notification Rules.
Returning to the OIG report, the agency’s audits focused on information system general controls, including those that provide structure, policies, and procedures for managing an organization’s information technology systems and cybersecurity posture. The report details a number of high risk security vulnerabilities across the 10 states reviewed, characterizing several of them as “systemic” and thus likely to be concerns for other states and their MMIS. In publishing its report, OIG emphasized that its objective was to “increase public awareness of these pervasive vulnerabilities” and hopefully lead the Centers for Medicare & Medicaid Services (CMS) and state agencies to meet the challenge and strengthen system security.
The vulnerabilities were explained using three broad categories:
- Entity-wide controls,
- Access controls, and
- Network operations controls.
Examples of the vulnerabilities cited include lack of proper security plans, failure to encrypt laptops, and lack of formal disaster recovery plan testing. Additional deficiencies were seen in a variety of other areas, including asset inventory controls, risk assessments, user access controls, anti-virus procedures, and patch management.
Such cybersecurity deficiencies place agencies, and patient information, at high risk of unauthorized disclosure or widespread system attacks. But, these unfortunate issues can be avoided with regular attention to safeguards, planning, documentation, and workforce training. As noted in the OIG report, resources such as technical standards and guidance are available from the National Institute of Standards and Technology (NIST). In addition, all health care organizations should be mindful of the growing momentum for adoption of the recently NIST-published Cybersecurity Framework, created under the direction of Executive Order 13636, and its support for building a proactive cybersecurity program (see EO 13636, the Framework, and supporting materials at this link).
Patton Boggs has deep experience in assisting public and private sector organizations with their cybersecurity planning and HIPAA/HITECH compliance programs, including policy development, vendor governance, workforce training, and risk assessment.