OCR, FDA Security Enforcement to Be ScrutinizedWatchdog Agency to Assess Regulators' Patient Data Protection Initiatives
A federal watchdog agency plans in fiscal 2016 to more closely scrutinize federal regulators' oversight of the security controls that healthcare providers and business associates use to protect electronic patient information.
The OIG recently issued a work plan for fiscal 2016, which began Oct. 1, highlighting a number of key security topics that it will review. For example, OIG will conduct a study "to determine the adequacy" of HHS' Office for Civil Rights' oversight of the security of electronic protected health information.
OIG has criticized OCR for delays in launching a permanent HIPAA compliance audit program - as mandated under the HITECH Act - to assess whether covered entities and business associates are properly safeguarding health information.
"Prior OIG audits have also summarized numerous vulnerabilities in the systems and controls to protect ePHI at selected covered entities," OIG notes in its work plan
In recent months, OCR officials have said the office plans to launch phase two of its HIPAA compliance audit program next year (see New HIPAA Compliance Audit Details Revealed).
OIG's plan to further evaluate OCR's oversight of HIPAA Security Rule compliance comes on the heels of OIG in September issuing an assessment of OCR's HIPAA enforcement activities. In two reports, OIG noted that OCR needs to strengthen its oversight of HIPAA Privacy Rule compliance as well as improve followup activities on reported data breaches (see OIG Reports: HIPAA Enforcement Activities Need a Boost).
OCR declined to comment on OIG's work plan.
Scrutiny Is Needed
Privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group, says it appears that OIG has valuable reviews planned, especially for OCR.
"OIG's planned 2016 work is very important to the security and privacy of PHI, especially since OCR has not stepped up to the job," she says.
"Although I recognize agency challenges, it is important for the OIG to focus on OCR's chronic, weak oversight of PHI security," she says. "In carrying out the 2016 work plan, I would not expect the OIG to find significant improvement in the state of security at CEs and BAs. Inadequate oversight and enforcement have long been recognized as a factor in disappointing compliance."
But Borten also questions whether OIG will have the resources to carry out all its fiscal 2016 plans, since stretched resources have been a challenge for other HHS agencies, including OCR (see Exclusive: OCR's McGraw on Timing of HIPAA Audits).
"Will [OIG] get the resources necessary to carry out this ambitious work plan? We can only hope so."
Medical Device Cybersecurity
In addition scrutinizing OCR's HIPAA oversight activities, OIG also plans to examine whether "FDA's oversight of hospitals' networked medical devices is sufficient to effectively protect associated ePHI and ensure beneficiary safety." Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records and the larger health network, pose a growing threat to the security and privacy of personal health information, OIG notes.
Over the last two years, FDA has been ramping up efforts to improve the cybersecurity of medical devices. That includes guidance recommending that medical device manufacturers build cybersecurity into the design and life-cycle of products, and also guidance to healthcare providers about including medical devices in their cybersecurity risk analysis (see Ramping Up Medical Device Cybersecurity).
In a statement provided to Information Security Media Group, the FDA says it welcomes the inclusion of patient safety of networked devices in OIG's work plan. "With more and more medical devices relying on interconnectivity and interoperability, the threat of cybersecurity breaches increase," FDA says. "Managing these threats is a shared responsibility, and the FDA will continue to collaborate with our stakeholders in the healthcare sector, including the cybersecurity research community and other government agencies, to collectively address this issue."
Rebecca Herold, partner and co-founder of the consulting firm SIMBUS Security and Privacy Services, says she was pleased to see "controls over networked medical devices at hospitals" added as a new topic of OIG scrutiny.
"However, by only having it under the FDA, it will leave gaps of overview between what the FDA has historically looked at with regard to medical devices, and what the HHS has been looking at with regard to data and network security and privacy over the past several years during all their HIPAA reviews," she says. "Most medical device manufacturers are business associates as a result of how they maintain access to the devices, and the data within, on an ongoing basis. They must also comply with HIPAA, but the FDA is not a HIPAA enforcement agency, leaving a big gap of oversight missing for medical device vendors and manufacturers."
Other OIG Security Plans
In addition to the scrutiny OIG plans to give OCR and FDA, the watchdog agency has a number of other security-related reviews slated. Those include:
- Reviewing various HHS agencies' compliance with the Federal Information Security Modernization Act of 2014;
- Conducting network and Web application penetration testing to determine whether HHS' networks and applications are susceptible to hackers;
- Reviewing whether information security controls for state-based insurance exchanges under the Affordable Care Act have been implemented in accordance with federal requirements and best practices;
- Performing audits of various covered entities receiving HITECH Act incentive payments to determine whether they adequately protect information created or maintained by certified electronic health record technology;
- Determining the extent to which hospitals comply with HIPAA contingency planning requirements;
- Determining the adequacy of Centers for Medicare and Medicaid Services' oversight of states' Medicaid system and information security controls.
Herold says she'd also like to see OIG review the use of emerging technologies.
"Healthcare organizations, and their BAs, are widely using social media, smart devices and big data analytics, and more new tools and trends will continue to pop up. These new areas present new risks to PHI. Audits should explicitly be required to look at these new areas," she says. "They all fall within the administrative, technical and physical requirements of HIPAA, but from what I've seen and heard, they are usually not addressed during audits. These must be included to catch and be able to mitigate significant information security and privacy risks."
Also, in OIG's ramped up scrutiny of OCR, Herold says she'd like the watchdog agency to emphasize the importance of enforcing HIPAA compliance among business associates because many "lack of understanding of their obligations to implement security and privacy controls and practices."