The Department of Health and Human Services needs to improve its security and privacy guidance and oversight program, according to a report from the Government Accountability Office (GAO).
Covered entities need more help with the specifics of applying key controls outlined by the National Institute of Standards and Technology to their particular needs, according to GAO. NIST released its cybersecurity framework in February 2014; the HHS Office for Civil Rights, earlier this year, unveiled a “crosswalk” between the framework and the HIPAA Security Rule.
The College of Healthcare Information Management Executives (CHIME), which represents hospital CIOs, and the Association for Executives in Healthcare Information Security (AEHIS), which represents hospital information security executives, jointly praised the framework, but called for more member education.
HHS officials have said its guidance was meant to be minimally prescriptive, but the GAO report criticizes the agency for not fully addressing all the elements of NIST guidance. The agency's own reviews have shown that healthcare organizations are struggling to select appropriate security and privacy controls, and in particular need more help with risk assessment, the report says.
In addition, technical assistance provided as part of HHS' oversight program for HIPAA compliance hasn’t necessarily been pertinent to identified problems. And it hasn’t always followed up to ensure that that agreed-upon corrective actions were taken, GAO notes.
While HHS is in the middle of the second phase of its audit program, it has not established benchmarks to assess the effectiveness of that program, according to the report. What's more, OCR and the Centers for Medicare & Medicaid Services don’t necessarily share information on the results of investigations and audits, which they must to ensure compliance with HIPAA and the HITECH Act, GAO says.