OIG lists security of health info as one of HHS’s top weaknesses
Watchdog also questions agency’s ability to ensure return on HIT investments.
The Department of Health and Human Services continues to face challenges safeguarding the privacy and security of healthcare IT, improving information flow and ensuring a return on HIT investments, according to the HHS Office of the Inspector General.
In fact, the OIG ranks the “meaningful and secure exchange and use of electronic information and health IT” as the third biggest management and performance challenge facing HHS, among a list of 10 factors it recently found.
In particular, OIG’s just-released midyear update to its fiscal 2016 work plan notes that threats to information privacy and security are evolving, and that HHS must remain vigilant in confronting these growing challenges, especially as the frequency of health data breaches has increased significantly industry-wide.
“Frequently identified weaknesses include inadequacies in access controls, patch management, encryption of data, and website security vulnerabilities at the Department, healthcare providers, and other entities that do business with the Department,” auditors concluded. “Such weaknesses could result in unauthorized access to sensitive information.”
At deadline, HHS did not respond to requests for comment on the OIG report.
An August 2015 report by the House Energy and Commerce Committee on the information security protocols at HHS found numerous deficiencies stemming from what congressional investigators called “serious structural flaws” that have left the agency’s operating divisions vulnerable to cyber attacks. According to the committee’s report, five HHS operating divisions have been breached within the last three years, including an October 2013 breach of the Food and Drug Administration’s internal network.
While OIG says HHS has made progress with respect to the privacy and security of its own information, more work remains to be done, including using available policy levers to address health IT privacy and security issues.
“As for the flow of information, the Department must do more to improve the flow, subject to appropriate privacy and security safeguards,” asserts the OIG, which argues that the flow of health information between providers is critical to the success of delivery system reform. Without the right information, providers will face unnecessary barriers in coordinating care and meeting performance goals.
At the same time, auditors make the case that the flow of information is also important between HHS and providers. “Data created, maintained or transmitted using EHRs or other health IT are used to ensure correct Medicare and Medicaid payments, including value-based payments,” states the OIG. “Participants in certain initiatives also receive Departmental data for their use in improving the care they furnish.”
In addition to the challenge of improving the flow of electronic information, OIG contends that HHS is not ensuring a return on its investments in health IT. According to auditors, the ROI challenges include preventing inappropriate payments to participants who do not meet program requirements, ensuring that the beneficial characteristics of EHRs are not used as tools for fraud, and ensuring that patient safety benefits are realized.
“When addressing these challenges, the Department must ensure coordination among internal agencies, as well as other federal partners, with overlapping responsibility for various aspects of health IT to avoid potential gaps in policy and oversight that could undermine the promise of the investments,” concludes the OIG.
In fact, the OIG ranks the “meaningful and secure exchange and use of electronic information and health IT” as the third biggest management and performance challenge facing HHS, among a list of 10 factors it recently found.
In particular, OIG’s just-released midyear update to its fiscal 2016 work plan notes that threats to information privacy and security are evolving, and that HHS must remain vigilant in confronting these growing challenges, especially as the frequency of health data breaches has increased significantly industry-wide.
“Frequently identified weaknesses include inadequacies in access controls, patch management, encryption of data, and website security vulnerabilities at the Department, healthcare providers, and other entities that do business with the Department,” auditors concluded. “Such weaknesses could result in unauthorized access to sensitive information.”At deadline, HHS did not respond to requests for comment on the OIG report.
An August 2015 report by the House Energy and Commerce Committee on the information security protocols at HHS found numerous deficiencies stemming from what congressional investigators called “serious structural flaws” that have left the agency’s operating divisions vulnerable to cyber attacks. According to the committee’s report, five HHS operating divisions have been breached within the last three years, including an October 2013 breach of the Food and Drug Administration’s internal network.
While OIG says HHS has made progress with respect to the privacy and security of its own information, more work remains to be done, including using available policy levers to address health IT privacy and security issues.
“As for the flow of information, the Department must do more to improve the flow, subject to appropriate privacy and security safeguards,” asserts the OIG, which argues that the flow of health information between providers is critical to the success of delivery system reform. Without the right information, providers will face unnecessary barriers in coordinating care and meeting performance goals.
At the same time, auditors make the case that the flow of information is also important between HHS and providers. “Data created, maintained or transmitted using EHRs or other health IT are used to ensure correct Medicare and Medicaid payments, including value-based payments,” states the OIG. “Participants in certain initiatives also receive Departmental data for their use in improving the care they furnish.”
In addition to the challenge of improving the flow of electronic information, OIG contends that HHS is not ensuring a return on its investments in health IT. According to auditors, the ROI challenges include preventing inappropriate payments to participants who do not meet program requirements, ensuring that the beneficial characteristics of EHRs are not used as tools for fraud, and ensuring that patient safety benefits are realized.
“When addressing these challenges, the Department must ensure coordination among internal agencies, as well as other federal partners, with overlapping responsibility for various aspects of health IT to avoid potential gaps in policy and oversight that could undermine the promise of the investments,” concludes the OIG.
More for you
Loading data for hdm_tax_topic #care-team-experience...