Medicare contractors experience year-over-year improvement to info security programs

Gaps in Medicare contractors' information security programs decreased in 2013 from the year before, according to a new report published this month by the Office of Inspector General for the Health and Human Services Department.

The Centers for Medicare & Medicaid Services contracted PwC for the evaluations, which were conducted on nine Medicare contractors, addressing requirements under the Federal Information Security Management Act, according to the report.

The evaluations found that there were 119 gaps in information security programs in 2013 at the nine contractors, which PwC consolidated into 67 findings. There were 147 gaps in fiscal year 2012.

Of those 67 findings:

  • 23 were labeled as high-risk
  • 19 were repeat findings from fiscal 2012
  • 11 of those repeat findings were high-risk

The most gaps, according to the report, were in policies and procedures (42); periodic testing of information security controls (39); and incident detection (14).

OIG says in the report that it is up to the contractors to create a corrective action plan for each finding, and CMS will track the findings until they are corrected.

Privacy and security is one of the key issues the healthcare industry must currently tackle, and many similar audits and evaluations are coming.

The Office of Civil rights is set to hand down some whopping fines for HIPAA violations later this year, according to privacy attorney Adam Greene. However, the HIPAA audit program is on hold as the agency works to upgrade technology.

In addition, last week the Office of the National Coordinator for Health IT issued a new version of its privacy and security guide. The Guide to Privacy and Security of Electronic Health Information has new information on Medicare and Medicaid electronic health record incentive programs and on HIPAA Privacy, Security and Breach Notification Rules.

To learn more:
- here's the OIG report (.pdf)