OCT 30, 2012 5:22pm ET

CMS Wins a Security Award, and You Have to Wonder Why

Print
Reprints
Email

The headline: Centers for Medicare & Medicaid Services Win 2012 National Cybersecurity Innovation Award. My first thought: Really?

It’s a nice reward and the judges have resumes such that I normally would not question their decision making. They selected nine winners out of 30 nominations.

But CMS? Sure, the press release on the agency’s award touts its management of nearly 200 data centers, with information on more than 100 million beneficiaries. The release also touts a “pro-active risk reduction program” at the agency.

But here is what the fawning release doesn’t get into:

* CMS operates the Medicare program, and 16 years after enactment of HIPAA still uses Social Security numbers as beneficiary identifiers.

* CMS has published two reports in the past six years about replacing the SSNs, but hasn’t found the wherewithal to actually do it.

* CMS continues to argue the cost and time to replace SSNs is too large, but the Veterans Administration managed to introduce a beneficiary card without an SSN or date of birth displayed, and it did it in 2004.

* The HHS Office of Inspector General recently reported that Medicare had 14 data breaches during a 23-month period, mostly small and affecting a total of 13,775 beneficiaries. CMS did not notify half of affected beneficiaries within 60 days of breach discovery--in violation of the HIPAA breach notification rule--but managed to provide timely notification to the HHS Office for Civil Rights all 14 times.

* According to the Inspector General, CMS maintains a database of “compromised” beneficiary numbers, and it isn’t small--284,000 of them, plus 5,000 provider numbers. And the IG also notes that CMS hasn’t developed a consistent process to stop payments on compromised numbers.

* CMS is huge in its own right, it has the weight of the truly massive Department of Health and Human Services behind it, and yet it hasn’t used that influence to get final new HIPAA privacy/security/breach rules out of the Office for Civil Rights to better protect its 100 million beneficiaries.

Maybe the folks who pass out the National Cybersecurity Innovation Award should take another look at the 21 nominees who didn’t win, because one of them must have a better track record more award-worthy than CMS.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Blog Archive for Joseph Goedert

Biggest Challenge to Analytics Might be Feds
Sorry, Experts. Meaningful Use is a Success
Spotting Incompetence Shouldn’t be This Easy
For Good Policy Making, Facts Must Matter
Things I learned at HIMSS13 in New Orleans

More from Joseph Goedert »

Blog Index »

loading time...
Sponsored by

Stay Connected

Twitter
Facebook
LinkedIn

Physicians, frequently perceived as a roadblock to a high-quality/low-cost paradigm, often spearhead IT advances central to the effort.

Already a subscriber? Log in here
Please note you must now log in with your email address and password.