A recent federal Government Accountability Office (GAO) report calls for the Department of Health and Human Services (HHS) to make significant improvements in its guidance and oversight of HIPAA regulations.
‘Struggle to Adequately Assess Risk’
In particular, the GAO report cites the failure of HIPAA regulations to address all elements of the Commerce Department’s National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. That leaves electronic health records (EHRs) vulnerable to hacking, the GAO said.
“HHS officials said they intended their guidance to be minimally prescriptive to allow flexible implementation by a wide variety of covered entities,” the report said. “However, until these entities address all the elements of the NIST Cybersecurity Framework, their EHR systems and data are likely to remain unnecessarily exposed to security threats.”
Covered entities have struggled to adequately assess risk to protected health information and develop an effective risk management approach, the GAO report said. The GAO noted that there has been an increase in healthcare cybersecurity attacks, citing HHS data on healthcare data breaches affecting 500 or more individuals from 2009 to 2015. Hacking and IT breaches also have steadily increased each year, the report said.
The GAO report is available online at: http://bit.ly/2dFoNYZ.
