On May 16, 2011, the Inspector General of the Department of Health and Human Services (“DHHS”) transmitted his report to the Office of Civil Rights (“OCR”), titled “National Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight (A-04-08-05069).” The report slammed OCR’s oversight and enforcement actions as set forth in the report’s Summary of Findings:
CMS’s oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule. As a result, CMS had limited assurance that controls were in place and operating as intended to protect ePHI, thereby leaving ePHI vulnerable to attack and compromise.
Specifically, our audits of 7 hospitals throughout the Nation identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were identified as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries personal data and performed unauthorized acts without the hospitals’ knowledge.
The report recommended that OCR continue the compliance reviews that it had begun in 2009 (audits of 10 covered entities) and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities.
In its discussion of OCR’s response, the OIG noted that, although OCR stated that it has a process for initiating compliance reviews in the absence of complaints, it provided no evidence that it had actually done so.
A telling finding of the audits of the seven hospitals was that, although each had implemented some controls, policies, and procedures to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule. Of the 151 vulnerabilities identified in the audits, 124 were denominated as “high impact.” OCR adopted the “Magnitude of Impact Definitions” of the National Institute of Standards and Technology Special Publication 800-30. The “High” impact definition reads as follows:
High—Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.
Among high impact vulnerabilities that OCR found at these hospitals were the following:
Wireless Access Vulnerabilities. Five hospitals had 15 wireless access vulnerabilities all high impact, including ineffective encryption, rogue wireless access points, no firewalls separating wireless from internal wired networks, broadcasted service set identifiers (“SID”) (codes on data packets that identify each packet as part of the network) from hospital access points, no authentication required to enter the wireless network, the inability to detect rogue devices intruding on the wireless network, and no procedures for continuous monitoring of the wireless networks.
Access Control Vulnerabilities. 38 hospitals had access control vulnerabilities, seven of which were high-impact. These vulnerabilities involved domain controllers, servers, workstations, and mass storage media and included inadequate password settings, computers that did not log off after periods of inactivity, unencrypted laptops, and unauthorized users.
Audit Control Vulnerabilities. Seven hospitals had audit control vulnerabilities, 9 of which were high-impact. For example, five hospitals had disabled logging. Further, network administrators did not routinely review operating systems and audit logs.
Integrity Control Vulnerabilities. Seven hospitals had vulnerabilities in this area, nine of which were high-impact. Examples included uninstalled security patches, outdated virus updates, operating systems that were no longer supported by the manufacturer, and unrestricted internet access.
Person or Entity Authentication Vulnerabilities. Four hospitals were noncompliant in this area with nine vulnerabilities being high-impact. These deficiencies included inappropriate sharing of administrator accounts and unchanged default user identifiers and passwords.
Transmission Security Vulnerabilities. Four hospitals had vulnerabilities with regard to this area, of which 14 were high-impact. These included inadequate encryption, unsecure switch port connections, and unnecessary and unsecure network services.
Facility Access Control Vulnerabilities. Five hospitals had issues here, but only one was high impact. Its data center had large open shelves and an unsecured indoor window. The radiology data backup room’s back door lock had been taped over.
Security Management Process. Two hospitals did not comply with the requirement to conduct risk assessment with a high impact. One’s risk analysis was incomplete, and the other had no policies and procedures for risk analysis.
Workforce Security Vulnerabilities. Two hospitals had vulnerabilities in this area, both high impact. One involved inappropriate access, and the other involved improper termination of access procedures.
Security Incident Procedure Vulnerabilities. One hospital failed to have procedures to identify, respond to, and document actions taken in response to security incidents. This was a high-impact vulnerability.
Contingency Plan Vulnerabilities. Three hospitals had six contingency plan vulnerabilities, all of which were high impact. The vulnerabilities included incomplete plans, unsafe storage of backup media, and network security disruptions.
It is somewhat disconcerting that these major covered entities—these aren’t one clinician mom-and-pop operations—have these serious deficiencies in their HIPAA security.