In May 2011 The HHS Office of the Inspector General (OIG) published their findings regarding CMS’s oversight and enforcement of the HIPAA Security Rule. The findings state that the oversight and enforcement actions “were not sufficient” to insure that covered entities “effectively implemented the Security Rule.” As a result, ePHI was “vulnerable to attack and compromise.”
OIG audited 7 hospitals and identified 151 vulnerabilities, of which 124 were categorized as “high impact.” “Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.”
The most frequent vulnerabilities at hospitals were:
- Wireless Access. 15 vulnerabilities were identified at 5 hospitals including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, broadcasted SSIDs, no authentication required to enter the wireless network, the inability to detect rogue devices, and no procedures for continuously monitoring the wireless networks.
- Access Control. 38 vulnerabilities were identified at 7 hospitals involving domain controllers, servers, workstations, and mass storage media. Vulnerabilities included inadequate password settings, computers that did not log users off after inactivity, unencrypted laptops containing PHI, and excessive access to root folders.
- Audit Control. 9 vulnerabilities were identified at 5 hospitals involving servers, routers, firewalls, databases, and wireless access points. The five hospitals had audit logging disabled for one or all of the above. In addition, their network administers did not routinely review operating system and application audit logs.
- Integrity Control. 21 vulnerabilities wre identified at 7 hospitals on PCs and servers. These included uninstalled critical security patches, outdated antivirus updates, operating systems no longer supported by the manufacturer and unrestricted internet access.
Other high impact vulnerabilities identified included Transmission Security, Authentication, Facility Access Control, Device and Media Control, and lack of Contingency Plans.
As of July 27, 2009, Secretary Kathleen Sebelius transferred authority for enforcing the HIPAA Security rule from CMS to the HHS Office of Civil Rights.
