A report from the Government Accountability Office suggests HHS could offer better guidance for healthcare organizations regarding cybersecurity and safeguarding patient information.
The GAO report points to the rise in data breaches affecting 500 or more individuals as a growing need to ensure the security and privacy of patient records, and HHS is primarily responsible for setting standards to protect electronic health information and enforcing compliance with the standards.
While HHS has established guidance for covered entities to comply with HIPAA, the guidance does not address all elements called for by other federal cybersecurity recommendations, according to GAO.
"HHS' guidance does not address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology to their specific needs," according to the GAO report. "Further, covered entities and business associates have been challenged to comply with HHS requirements for risk assessment and management. Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise."
Additionally, the GAO report says some of HHS' technical assistance offered during investigations is misguided, and that it was not pertinent to identified problems. The report also says HHS did not always follow up with organizations to ensure agreed-upon corrective actions were carried out by the organization.
To address its findings, the GAO made five recommendations for HHS: update its security guidance to include controls described in the NIST Cybersecurity Framework, update technical assistance provided to covered entities, ensure following up on corrective actions, establish performance measures for the Office for Civil Rights' audit program, and establish and implement policies for sharing investigation and audit results.
HHS agreed with the GAO's recommendations and said it would take necessary steps to implement them.
More articles on cybersecurity:
Thoughts on big threats for hospitals today
CIOs say mobile devices are organizations' weakest cybersecurity link
Big data, cybersecurity, precision medicine among FDA's priorities in 2017