Health IT data security crude in some companies, says CMS CIO

Companies desiring links to Medicare and Medicaid systems often show poor controls

The level of information security in systems run by some companies that want to be linked electronically with the Centers for Medicare and Medicaid Services (CMS) is so rudimentary that it is “almost embarrassing,” Julie Boughn, CMS’ chief information officer, said today.

“When we look at the entities, inevitably, we find basic amateur problems with security,” Boughn said at a Health Information Technology conference sponsored by the Bethesda chapter of AFCEA .

 “These are large companies that you all have heard of. It is almost embarrassing," Boughn said.  She did not name the companies.

Organizations that want to engage in health IT should follow Federal Information Security Management Act principles and perform regular audits and upgrades, she said.

“We all need to step up our game,” Boughn said. “FISMA is an excellent framework.

The CMS overhauled its IT security starting 10 years ago after an internal audit showed “disastrous” lack of security, she added. “We have done a lot of work,” Boughn said.

Boughn said she's engaged in helping CMS prepare its systems to handle the $17 billion in incentive payments that will flow to physicians and hospitals under the economic stimulus law. Congress stipulated that the payments would go to providers who buy and "meaningfully use" electronic health record systems.

The law will require a new level of cooperation between Medicare and Medicaid, she said. The law “requires an unprecedented integration between Medicare and Medicaid. We used to not talk to each other and barely knew each other,” Boughn joked,” but with the [stimulus] it is very different.”

Boughn described the role of health IT expansion in the stimulus law as a foundation for health data exchange, health care reform and health improvement.

“We are paying money for measures and metrics,” Boughn said. “That is implicit throughout health care reform. We are building a foundation for the future.”


About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader comments

Tue, Apr 13, 2010

Alice, How about if you contact a Kaiser PR spokesperson to see if he or she thinks that maybe CMS CIO would include Kaiser in that group of technology laggards? That would make sense, of course, since it's unimaginable that Kaiser Permanente's Public Relations area could possible put out a statement that distorts the truth.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above