It’s a nice reward and the judges have resumes such that I normally would not question their decision making. They selected nine winners out of 30 nominations.
But CMS? Sure, the press release on the agency’s award touts its management of nearly 200 data centers, with information on more than 100 million beneficiaries. The release also touts a “pro-active risk reduction program” at the agency.
But here is what the fawning release doesn’t get into:
* CMS operates the Medicare program, and 16 years after enactment of HIPAA still uses Social Security numbers as beneficiary identifiers.
* CMS has published two reports in the past six years about replacing the SSNs, but hasn’t found the wherewithal to actually do it.
* CMS continues to argue the cost and time to replace SSNs is too large, but the Veterans Administration managed to introduce a beneficiary card without an SSN or date of birth displayed, and it did it in 2004.
* The HHS Office of Inspector General recently reported that Medicare had 14 data breaches during a 23-month period, mostly small and affecting a total of 13,775 beneficiaries. CMS did not notify half of affected beneficiaries within 60 days of breach discovery--in violation of the HIPAA breach notification rule--but managed to provide timely notification to the HHS Office for Civil Rights all 14 times.
* According to the Inspector General, CMS maintains a database of “compromised” beneficiary numbers, and it isn’t small--284,000 of them, plus 5,000 provider numbers. And the IG also notes that CMS hasn’t developed a consistent process to stop payments on compromised numbers.
* CMS is huge in its own right, it has the weight of the truly massive Department of Health and Human Services behind it, and yet it hasn’t used that influence to get final new HIPAA privacy/security/breach rules out of the Office for Civil Rights to better protect its 100 million beneficiaries.
Maybe the folks who pass out the National Cybersecurity Innovation Award should take another look at the 21 nominees who didn’t win, because one of them must have a better track record more award-worthy than CMS.