GAO Recommends Corrective Action by Department of Health and Human Services
More than 113 million electronic health records were breached in 2015, a year that saw a total of 56 cybersecurity attacks in healthcare alone. That's a 13-fold increase from 2006 to 2015.
The Government Accountability Office isn't going to let those cybersecurity failures go unremarked upon. The GAO last week came down hard on the Department of Health and Human Services, pointing out a number of weaknesses in efforts by HHS to help health plans and other providers protect data.
"HHS has established an oversight program for compliance with privacy and security regulations, but its actions did not always fully verify that the regulations were implemented," wrote the GAO in a report released Sept. 26. The report also called out HHS for giving technical assistance "that was not pertinent to identified problems" in cybersecurity, and for failing to follow up on cases it investigated.
In short, the GAO found, loss or misuse of health information is not being adequately addressed by HHS. To help healthcare organizations comply with HIPAA and prevent further data breaches, the Office said, HHS should take the following corrective actions:
- Update its guidance for protecting electronic health information to address key security elements.
- Improve technical assistance it provides to covered entities.
- Follow up on corrective actions.
- Establish metrics for gauging the effectiveness of its audit program.
HHS generally concurred with the recommendations and stated it would take actions to implement them.
UPDATE: On Oct. 4, HHS announced that it had awarded funding to help protect the health sector against cyber threats. Learn who received the funding, and how it is intended to help healthcare organizations.