HHS Data Not Secure: Report

Published May 1, 2006

A U.S. Government Accountability Office (GAO) report released March 23 pointed out possible flaws in data security at the Centers for Medicare & Medicaid Services (CMS).

The GAO–Congress’s investigative arm–noted current controls on government health programs may put information at risk due to several weaknesses in the way information is handled.

According to the study, the U.S. Department of Health and Human Services and CMS have significant “weaknesses” and “vulnerabilities” in their data-control systems–particularly those “designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software.”

‘Swiss Cheese’ Security

The study, requested by Senate Finance Committee Chairman Charles Grassley (R-IA), stated the reason for the weaknesses is HHS’s failure to implement a “department-wide information security program.” A program exists, the study said, but has not yet been put in place.

“HHS relies on automated information systems and interconnected networks to process and pay medical claims; conduct medical research; manage its wide spectrum of health, disease prevention, and food and safety programs; and support its department-wide financial and management functions,” the authors note. “Interruptions in HHS’s financial and information management systems could have a significant adverse effect on the health, welfare, and mental well-being of millions of American citizens who depend on its services.”

The authors cited several examples of potential data security problems. One CMS Medicare contractor used a privately owned vehicle and an unlocked container to transport approximately 25,000 Medicare check payments over a one-year period. In another instance, 440 individuals were granted unrestricted access to an entire data center, including a sensitive area, although their jobs did not require them to have such access.

“We’re learning [Medicare/Medicaid recipients’] medical, personal, and financial information is vulnerable to fraud and abuse,” Grassley said in a March 23 statement.

“Instead of firewalls to safeguard sensitive data, we have Swiss cheese,” Grassley noted.

Questions About Findings

But in a written response to Gregory Wilshusen, GAO’s director of Information Security Issues and the study’s author, HHS Inspector General Daniel Levinson stated, “The evaluation approach utilized by GAO does not provide an accurate or complete appraisal of the HHS enterprise-wide information security program.

“HHS assesses risk periodically; disseminates necessary policies and procedures; develops security plans; delivers security awareness and training; tests and evaluates system controls at least annually; detects, responds to and reports incidents; plans continuity of operations; and maintains reliable monitoring and reporting capabilities,” Levinson continued. “This programmatic structure, as mandated by law and proven in practice, led to the development of sound security practices and continuous improvement in HHS’s overall security posture.”

While checks kept in unlocked cars are one issue, increased reliance on electronic data is another.

“Keep in mind that the electronic medical record (EMR) is not a mandate from the public,” said Twila Brase, a registered nurse and president of the Citizen’s Council on Health Care, a Minnesota-based free-market health care organization. “It’s a mandate from payers, including government, health plans, and large employer groups. The public is not all that comfortable with the idea.”

Patient Consent

A 2005 Harris Poll found 48 percent of those surveyed believe the benefits of a centralized database outweigh the risks, and 47 percent believe the risks outweigh the benefits, noted Brase. A 2000 Gallup poll found 95 percent of those polled didn’t want information released to a national database without their permission.

The only way to safeguard the information is to give patients consent over who gets access to their data, according to Brase.

“[The federal Health Insurance Portability and Accountability Act] allows data to be disclosed without ever telling the patient. States must pass strong patient-consent laws for electronic access to private data,” Brase said.

In addition, the Health Information Technology Promotion Act of 2005 (H.R. 4157), currently pending in the House Subcommittee on Health, must not be allowed to pass in its current form, Brase said.

“It will abolish the right of states to enact real medical privacy laws,” Brase said, “leaving all patients vulnerable to HIPAA’s permissiveness.”

Slippery Slope

Rep. Nancy Johnson (R-CT), who introduced H.R. 4157 last October, said the bill would “make sure the national health [information technology] coordinator’s post is a permanent one” and “overcome some of the key obstacles that have slowed our progress toward adoption of a national, interoperable electronic system.”

Brase said its effects will be felt more strongly in years to come.

“Everything will be recorded somewhere,” Brase explained. “By electronically linking each child’s birth certificate with other seemingly innocuous government health databases [such as state immunization registries, newborn hearing screening registries, and newborn genetic testing registries], citizen profiles are being created from birth. This is a very slippery slope.”

EMRs also can facilitate massive privacy breaches, said Brase. “It would require a truck in the middle of the night to carry 4,000 paper medical records out of a clinic, but it only takes a disk in a pocket or an e-mail transmission to steal those same records in electronic format in broad daylight.”

Susan Konig ([email protected]) is assignment editor for Health Care News.

For more information …

The U.S. Government Accountability Office’s Report to the Chairman, Committee on Finance, U.S. Senate February 2006, Information Security: Department of Health and Human Services Needs to Fully Implement Its Program, is available online at http://www.gao.gov/new.items/d06267.pdf.

Information about the Citizen’s Council on Health Care is available on its Web site at http://www.cchc-mn.org.