On Monday, the Government Accountability Office (“GAO”) released a report (the “Report”) criticizing the U.S. Department of Health and Human Services (“HHS”) security and privacy guidance and oversight in protecting electronic protected health information (“ePHI”) from cybersecurity attacks.  The Report noted that HHS does not adequately address cybersecurity elements outlined by other agencies in published guidance and fails to address how key National Institute of Standards and Technology (“NIST”) cybersecurity framework  (“Cybersecurity Framework”) can be implemented in the operations of covered entities and business associates.  The GAO claims that the lack of adequate guidance by HHS, leaves health information vulnerable to cybersecurity attacks.

The Report noted that cyber incidents have grown exponentially in recent years.  More than 113 million records were exposed as a result of healthcare data breaches in 2015, which was a considerable increase from previous years.

Number of Reported Hacking and Information Technology Breaches Affecting Health Care Records of 500 of More Individuals

Number of Reported Hacking and Information Technology Breaches Affecting Health Care Records of 500 or More Individuals


The GAO notes that HHS guidance does not fully cover all elements outlined in the NIST Cybersecurity Framework.  HHS published the Security Rule Crosswalk to NIST framework in February 2016.  However, the GAO notes that HHS guidance documents do not fully cover all of the NIST framework subcategories and, for example, HHS’ published HIPAA Security Rule toolkit covers only 19 of the 98 subcategories addressed in the NIST Cybersecurity Framework .  While HHS has stated the guidance is intended to be minimally prescriptive to allow for flexible implementation, the GAO does not believe data will be sufficiently secure until HIPAA covered entities and business associates address all elements of the NIST Cybersecurity Framework.

The GAO also notes that HHS enforcement actions are lacking.  In cases where enforcement has occurred, the GAO claims HHS has often failed to follow-up to ensure corrective action is adequately completed.  While HHS receives thousands of HIPAA complaints every year, HHS investigates very few (GAO notes in the report that 17,779 complaints were received in 2014 and of those 89 percent were closed either on intake or after providing technical assistance).  The GAO also outlines concerns that technical assistance provided by the agency does not always address the identified issues (noting 12 of 94 cases in 2015 provided inadequate technical guidance).

The GAO outlines the following five recommendations to improve health information cybersecurity, HHS should:

  • update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the NIST Cybersecurity Framework;
  • update technical assistance that is provided to covered entities and business associates to address technical security concerns;
  • revise the current enforcement program to include following up on the implementation of corrective actions;
  • establish performance measures for the Office of Civil Rights (“OCR”) audit program; and
  • establish and implement policies and procedures for sharing the results of investigations and audits between OCR and Centers for Medicare & Medicaid Services to help ensure that covered entities and business associates are in compliance with HIPAA and the Health Information Technology for Economic and  Clinical Act.

Posted by Stephanie Cason