Inspector General Takes ONC to Task Over Lack ofGeneral Security ControlsWe wouldn’t be so bold as to say “I told you so,”...
Inspector General Takes ONC to Task Over Lack of General Security Controls
Upcoming SlideShare
Loading in …5
×

Inspector General Takes ONC to Task Over Lack of General Security Controls

316 views

Published on

We wouldn't be so bold as to say "I told you so," but for months Redspin has been publicly calling on the ONC to beef up the security controls and measures in the "meaningful use" EHR incentive plan, the Federal Strategic Health IT Plan, and the HIPAA Security Rule itself. In fact just two weeks ago, we offered the following public comments on the Strategic Plan:

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
316
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Inspector General Takes ONC to Task Over Lack of General Security Controls

  1. 1. Inspector General Takes ONC to Task Over Lack ofGeneral Security ControlsWe wouldn’t be so bold as to say “I told you so,” but for months Redspin has been publicly calling on the ONCto beef up the security controls and measures in the “meaningful use” EHR incentive plan, the Federal StrategicHealth IT Plan, and the HIPAA Security Rule itself. In fact just two weeks ago, we offered the following publiccomments on the Strategic Plan:“Next, the “security risk analysis” identified as Core Measure 15 should be defined as more than compliancewith the HIPAA security rule. Effective security is a process-driven cycle of regularly-scheduled assessments,validation, remediation, and reporting that deliver continuous and durable improvements in informationsecurity and help develop a culture of security awareness within organizations.” (Public Comments on FederalStrategic Health IT Plan, 2011-2015)Now this week, we learn the HHS Inspector General has audited HIT Standards, privacy protection underHIPAA, and other security measures at CMS and the ONC. Their conclusion? “OIG found weaknesses in thetwo HHS agencies entrusted with keeping sensitive patient records private and secure.” Such weaknessesincluded lax oversight and insufficient standards for healthcare providers.The CMS audit examined seven hospitals across the country and found 151 “vulnerabilities” in systems andcontrols that are designed to safeguard electronic protected health information. Those lapses included 124 “highimpact vulnerabilities” such as unencrypted laptops and portable drives containing sensitive personal healthinformation, outdated antivirus software and patches, unsecured networks, and the failure to detect roguedevices intruding on wireless networks. As a result, CMS had limited assurance that controls were in place andoperating as intended to protect electronic protected health information, thereby leaving ePHI vulnerable toattack and compromise.”This is exactly why Redspins’ HIPAA Risk Analysis and Security Assessments go well beyond therequirements laid out by the CMS and ONC. And why hospitals, health systems and large provider practicesshould carefully consider which vendor they select to perform their assessment service. This is not “check thebox” type of audit work. This is not something you can entrust to one-man consulting shops. There are seriousimplications to leaving ePHI vulnerable to attack and compromise. Sure the ONC should be more specific inregard to specific preventative controls or standards in the regulations. But whether stated in the regulations ornot, you as a hospital or business associate bear the ultimate responsibility for data breach. We urge you to holdany outside security assessment vendor (including Redspin) to a higher standard. Don’t settle for competence;seek out excellence.Written by: Dan Berger WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

×