HHS neglected some IT security standards, IG says

The Health and Human Services Department might have failed to protect patient health data when setting rules for distributing $20 billion in economic stimulus law funds for providers to buy electronic health record systems, according to a report from HHS' Office of the Inspector General.

When officials at the agency’s Office of the National Coordinator for Health IT made recommendations for regulations to accompany the stimulus funds, they included standards for protecting patient data when it is shared. However, the office made no recommendations for ensuring that hospitals, doctors and health care agencies have general IT security controls — such as encryption, patching and two-factor authentication — on their own systems, the May 16 report states.

The national coordinator’s office “did not have [health IT] standards that included general IT security controls,” wrote HHS Inspector General Daniel Levinson, the report’s author. “Lack of any of these or other IT security controls can expose [health IT] systems to a host of problems."

Related stories:

HHS names new health IT national coordinator

HHS' new strategic plan emphasizes health IT

The national coordinator's office had previously justified its hands-off approach on general IT security by asserting that the requirements were covered under earlier laws, especially the Health Insurance Portability and Accountability Act (HIPAA), the report states.

However, IG audits have shown that HIPAA is ineffective in policing information security for doctors, hospitals and Medicaid agencies, Levinson wrote. Many facilities inspected in recent years had unprotected networks, outdated or missing antivirus software, no encryption, shared user accounts, and inappropriate user access rights.

“Our experience with HIPAA implementation in hospitals does not support [the] position that HIPAA provides adequate general IT security,” the report states.

Levinson listed no specific corrective actions for HHS and instead recommended that the national coordinator’s office:

  • Broaden its focus to include general IT security controls.
  • Use its leadership to provide guidance on industry best practices and general IT security standards.
  • Emphasize the importance of IT security to the medical community.
  • Coordinate with the Centers for Medicare and Medicaid Services and HHS’ Office for Civil Rights to add general IT security controls where applicable.

HHS officials agreed with the recommendations.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected