Protecting Patient Information - Feds Find Security Lapses in State and Local Government Systems
MARCH 18, 2014
This alert provides only general
information and should not be
relied upon as legal advice. This
alert may be considered attorney
advertising under court and bar
rules in certain jurisdictions.
For more information, contact
your Patton Boggs LLP attorney
or the authors listed below.
PattonBoggs.com Client Alert: Protecting Patient Information – Feds Find Security Lapses in State and Local Government Systems 1
HEALTH CARE AND CYBERSECURITY CLIENT ALERT
PROTECTING PATIENT INFORMATION –
FEDS FIND SECURITY LAPSES IN STATE
AND LOCAL GOVERNMENT SYSTEMS
Taken together, two recent announcements from the U.S. Department of Health
and Human Services (HHS) highlight the need for state and local governments
(and others who collect and maintain patient information) to regularly review
their policies, procedures and safeguards for protecting patient information
under the Health Insurance Portability and Accountability Act (HIPAA) and the
Health Information Technology for Economic and Clinical Health (HITECH)
First, on March 5, 2014, the HHS Office of Inspector General (OIG) issued an
audit report regarding High-Risk Security Vulnerabilities Identified During Reviews of
Information Technology General Controls at State Medicaid Agencies that summarizes a
series of serious cybersecurity lapses found during audits of 10 state Medicaid
Management Information Systems (MMIS) performed between 2010 and 2012
(report at available at this link).
Second, on March 7, 2014, the HHS Office for Civil Rights (OCR) announced
that Skagit County, Washington, has agreed to a $215,000 monetary settlement
and corrective action plan related to apparent lapses in protecting the privacy
and security of patient information. The Skagit County Public Health
Department provides essential health care services to needy individuals in the
118,000 person county. As OCR stated, this “case marks the first settlement with
a county government and sends a strong message about the importance of
HIPAA compliance to local and county governments, regardless of size”
(announcement and Resolution Agreement available at this link).
Both these events reiterate the need for state and local government agencies that
handle patient data – specifically, “protected health information (PHI)” under
the HIPAA/HITECH regulations – to perform regular risk assessments and
ensure that proper administrative, physical, and technical safeguards are in place
PattonBoggs.com Client Alert: Protecting Patient Information – Feds Find Security Lapses in State and Local Government Systems 2
and working. In the Skagit County case, an OCR investigation commenced after the county reported a data breach
involving several individuals’ information that was inadvertently exposed on, and accessed from, a publicly (Internet)
accessible server. The ensuing review found that information regarding some 1,581 individuals had been placed at risk,
including sensitive data regarding testing and treatment for infectious diseases, and what OCR characterized as
“widespread non-compliance” with the HIPAA Privacy, Security, and Breach Notification Rules.
Returning to the OIG report, the agency’s audits focused on information system general controls, including those that
provide structure, policies, and procedures for managing an organization’s information technology systems and
cybersecurity posture. The report details a number of high risk security vulnerabilities across the 10 states reviewed,
characterizing several of them as “systemic” and thus likely to be concerns for other states and their MMIS. In
publishing its report, OIG emphasized that its objective was to “increase public awareness of these pervasive
vulnerabilities” and hopefully lead the Centers for Medicare & Medicaid Services (CMS) and state agencies to meet the
challenge and strengthen system security.
The vulnerabilities were explained using three broad categories:
Access controls, and
Network operations controls.
Examples of the vulnerabilities cited include lack of proper security plans, failure to encrypt laptops, and lack of
formal disaster recovery plan testing. Additional deficiencies were seen in a variety of other areas, including asset
inventory controls, risk assessments, user access controls, anti-virus procedures, and patch management.
Such cybersecurity deficiencies place agencies, and patient information, at high risk of unauthorized disclosure or
widespread system attacks. But, these unfortunate issues can be avoided with regular attention to safeguards, planning,
documentation, and workforce training. As noted in the OIG report, resources such as technical standards and
guidance are available from the National Institute of Standards and Technology (NIST). In addition, all health care
organizations should be mindful of the growing momentum for adoption of the recently NIST-published
Cybersecurity Framework, created under the direction of Executive Order 13636, and its support for building a
proactive cybersecurity program (see EO 13636, the Framework, and supporting materials at this link).
Patton Boggs has deep experience in assisting public and private sector organizations with their cybersecurity planning
and HIPAA/HITECH compliance programs, including policy development, vendor governance, workforce training,
and risk assessment.