GAO finds CMS data security practices wanting

A GAO report made public yesterday finds that Medicare patient data transmission is insecure.  The AP/Washington Post story on the report says:

Security weaknesses have left millions of elderly, disabled and poor Americans vulnerable to unauthorized disclosure of their medical and other personal records, federal investigators said yesterday.

The Government Accountability Office said it found 47 weaknesses in the computer system used by the Centers for Medicare and Medicaid Services to send and receive bills and to communicate with health-care providers.

The agency oversees health-care programs that benefit one in four Americans. Its data are transmitted through a computer network that is privately owned and operated.

The CMS did not always ensure that its contractor followed the agency’s security policies and standards, according to the GAO.

"As a result, sensitive, personally identifiable medical data traversing this network are vulnerable to unauthorized disclosure," the federal investigators said.

CMS’s response stated that there had been no actual security breaches, and also noted (p. 12 of the report):

CMS has moved aggressively to implement corrective actions for the reported weaknesses and that corrective action or new compensating controls had already been completed for 22 of the 47 weaknesses. An additional 19 weaknesses are scheduled for closure. The remaining six weaknesses are under review to determine what additional resources are needed and their financial impact.

This comes on the heels of another GAO report which highlighted privacy breaches among subcontractors administering aspects of Medicare, TRICARE and Medicaid programs, the lack of consistent reporting mechanisms and the fact that some data was stored offshore, potentially beyond the reach of HIPAA enforcement.

We all know that reliance on digitized data and the global economy has created these potential problems.  The GAO reminds us that a little extra vigilance will go a long way towards ensuring that we do not lose control over access to sensitive data.