Report: HHS needs to improve security, oversight of electronic health information

The Department of Health and Human Services' current guidelines for securing health information aren't comprehensive enough to help providers adequately protect themselves from the growing threat of cyber-based threats, according to a new federal report.

Electronic data can help providers share information more efficiently, but a recent surge in health data breaches spurred an investigation into the HHS' oversight of such data, the U.S. Government Accountability Office said in a report published Monday. The number of reported security breaches affecting healthcare records of 500 or more patients grew from zero in 2009 to 56 in 2015, the report found.

While HHS has established guidance for HIPAA-covered healthcare providers on complying with privacy and safety requirements for health data, the guidance fails in some areas and doesn't align with other federal cybersecurity guidance, the report claims. The HHS guidance also doesn't address how providers can implement specific security controls, such as risk responses, to fit their organization's needs.

The report also notes that HHS' oversight program for privacy and security compliance has also fallen short on verifying that certain regulations were implemented. An audit program established by the agency has also failed to follow up with providers to make sure that corrective actions were implemented once cases investigating cyber security complaints were closed.

“Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise,” the GAO said.

The GAO recommended that HHS update its guidance for healthcare providers to address key security elements, improve technical assistance for providers, follow up on corrective actions and gauge how effective its audit program is. The HHS generally agreed with the recommendations.