Recently, the Government Accountability Office (GAO) reviewed the U.S. Department of Health and Human Services’ (HHS) security and privacy oversight and identified significant gaps in the cybersecurity guidance provided by HHS to entities regulated by HIPAA. The report’s primary criticism emphasized that though HHS prepared a crosswalk with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the crosswalk included only 19 cybersecurity factors identified by NIST in the framework. This leaves 98 subcategories of NIST’s framework unaddressed and, according to the GAO, unnecessarily exposes EHRs (and therefore protected health information) to security threats.
The GAO report recommends that HHS:
- Update HHS guidance for protecting electronic health information to address the remainder of the controls that HHS’ current guidance does not address from the NIST Cybersecurity Framework.
- Improve technical assistance it provides to covered entities to ensure that it is pertinent to the identified problems.
- Follow up on its corrective action recommendations after an investigation is concluded.
- Establish benchmarks to assess the effectiveness of the audit program.
HHS’s response generally concurred with the GAO recommendations, although it also clarified that the nature of the NIST Cybersecurity Crosswalk is not to be a comprehensive guide for all entities seeking to protect electronic protected health information, but as one guide among many others HHS has made available for risk management purposes.
The remainder of the recommendations did not take into account that HHS is in the process of the Phase 2 audits or that the structure of corrective action plans requires long-term monitoring (two years or more), which HHS pointed out in its response to the GAO report.
The GAO emphasized that the NIST Cybersecurity Framework crosswalk lacked detailed guidance for risk assessments and corresponding risk management plans. For healthcare providers, both OCR’s 2016 resolution agreements, which have repeatedly emphasized the need for enterprise-wide risk assessments, and the GAO report findings regarding risk assessments and risk management guidance reflect the importance of undertaking a comprehensive risk assessment and appropriately managing those risks to prevent security threats to protected health information. Healthcare providers should at the least implement safeguards that meet the bare minimum requirements from HHS and utilize NIST guidance to fully secure protected health information.