What's Needed: More HHS Guidance, or New HIPAA Security Rule?Watchdog Report Calls for Expanded Security Guidance, But Some Experts Want New Rule
The Department of Health and Human Services' needs to provide much more comprehensive guidance on how healthcare organizations and their business associates can better protect patient data by implementing security controls identified in the National Institute of Standards and Technology Cybersecurity Framework, according to a new watchdog agency report.
Reacting to the report, some security experts are calling for far bolder action than simply issuing more guidance.
"The HIPAA Security Rule should be replaced or rewritten to reflect the NIST Cybersecurity Framework as the standard to apply when developing a security program and selecting controls to protect protected health information," says Mac McMillan, CEO of the security consulting firm CynergisTek.
GAO Report's Findings
The Government Accountability Office's new report issued on Sept. 26, Electronic Health Information: HHS Needs to Strengthen Security and Privacy Guidance and Oversight, was prepared in response to a Congressional request. Congress asked the GAO to review the current health information cybersecurity infrastructure to describe expected benefits of and cyber threats to electronic health information, determine the extent to which Department of Health and Human Services' security and privacy guidance for electronic health records are consistent with federal cybersecurity guidance, and assess the extent to which HHS oversees these requirements.
The new report says that although HHS makes available a variety of HIPAA-related guidance, more guidance is needed to address emerging cyber threats and concerns. "Gaps in the overall set of guidance could lead to incomplete risk assessments and risk management plans as well as inconsistent implementation of security controls," GAO writes.
For example, GAO notes that in February 2016, HHS' Office for Civil Rights published guidance - the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework - which maps the HIPAA Security Rule's administrative, physical and technical controls to relevant subcategories in the NIST framework.
While the "crosswalk" demonstrates how major elements of the HIPAA Security Rule correspond to elements of the NIST Cybersecurity Framework, the "HHS guidance does not address many of the specific security control elements included in the cybersecurity framework," the report states.
Of the 98 NIST framework subcategories, the crosswalk fully addresses only 19, the GAO report notes. "Many of the specific controls detailed within the framework's 98 subcategories are not addressed in either the HHS security assessment guidance or in its other risk management guidance. The HIPAA Security Information Series, which is intended to provide additional guidance on remediating risks, outlines a high-level approach to choosing and implementing controls and does not specifically address the cybersecurity framework controls or how covered entities and business associates should tailor them to meet their specific needs."
GAO notes that while adherence to the NIST Cybersecurity Framework is voluntary, "its core set of security controls represents a consensus of topics to consider when developing information security programs. ... Without addressing all major elements of the Cybersecurity Framework, the guidance may not be helping guide these entities as effectively as possible to comprehensively consider potential risks to the security and privacy of electronic health information. As a result, systems containing such information may remain unnecessarily vulnerable to breaches and other security and privacy threats."
Time to Update or Replace HIPAA Security Rule?
McMillan, the consultant, says the HIPAA Security Rule is woefully out of date.
"I completely agree that the HIPAA Security Rule and the guidance published regarding its implementation has critical gaps as described by GAO," he says. "Many of us have been saying this for years."
The OCR guidance regarding risk analysis is consistent with NIST guidance in terms of the process, he says. "The disconnect comes when organizations only address those requirements detailed in the [HIPAA] security rule. The OCR guidance on how to conduct a risk analysis using the NIST CSF is the direction we need to go. "
Like McMillan, Kate Borten, founder of security and privacy consulting firm The Marblehead Group, says the time has come to revamp the HIPAA Security Rule.
"The core recommendation should be to update the [HIPAA] security rule by expanding the scope of the controls to reflect nationally or internationally recognized security standards," she says. "The NIST Cybersecurity Framework is a logical place to start."
Tom Walsh, founder of consultancy tw-Security, says that so far, HHS guidance has been focused primarily on compliance with the HIPAA Security Rule, which limits its relevance in the current environment. "The original draft security rule was published in August of 1998 and modified slightly before being finalized in February 2003. How different is today's cybersecurity world as compared to the mainframe world of 1998?"
Walsh also notes that the HHS security risk assessment tool "is compliance based, not security based." Therefore, it falls short of a "thorough risk analysis" as required in the HIPAA Security Rule, he contends.
Dozens of commonly used security-related terms are missing from the HIPAA Security Rule as well as HHS's security risk assessment tool, Walsh says. Those include, for example, hacker, cybersecurity, cloud, secure socket layer, scan, vulnerability scanning, penetration and intrusion.
"Some CEs and BAs push back against any suggested security control if it is not specifically required in the HIPAA Security Rule, which is a bad practice," he says. "The [security] rule's only saving grace is the first implementation specification - risk analysis," he says. "What is sad is ... the guidance provided on risk analysis from HHS ... is a compliance gap analysis and not a true risk analysis."
Other GAO Findings
In addition to spotlighting gaps in HHS security-related guidance, GAO also spells out several other areas for potential improvement related to HHS setting standards for protecting electronic health information and for enforcing compliance with these standards.
For instance, GAO notes that while HHS has established enforcement programs - including breach investigations - for compliance with privacy and security regulations, OCR has not always followed up to ensure that agreed-upon corrective actions were taken by covered entities and business associates once investigative cases are closed.
"These weaknesses result in less assurance that loss or misuse of health information is being adequately addressed," GAO notes.
The GAO report recommends that HHS:
- Update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the NIST Cybersecurity Framework;
- Update assistance provided to covered entities and business associates to address technical security concerns;
- Revise the current enforcement program to include following up on the implementation of corrective actions;
- Establish performance measures for the OCR audit program;
- Establish and implement policies and procedures for OCR sharing the results of investigations and audits with the Centers for Medicare and Medicaid Services to help ensure that CEs and BAs are in compliance with HIPAA and the HITECH Act.
The GAO report notes that HHS generally concurred with the recommendations and stated it would take actions to implement them.
In a statement, OCR tells Information Security Media Group: "We appreciate GAO's recommendations as OCR continues to work to safeguard personal privacy and ensure electronic health information is protected."