A Lesson from the Department of Health and Human Services – Do As I Say Not As I Do
The Office of the Inspector General (OIG) recently published a report of an audit of the Department of Health and Human Services’ (DHHS) security controls over the implementation of personal identity verification (PIV) cards. The purpose of the audit was to determine whether the DHHS complied with Homeland Security Presidential Directive 12 (HSPD-12) which provides federal guidance on implementing a system for a common identification standard for federal employees and contractors.
The reason for the system is to ensure there are secure and reliable forms of identification for federal employees and contractors who are provided physical access to controlled facilities and electronic access to computer applications and data files in controlled information systems. The audit found that the DHHS’ security controls were inadequate because they did not implement certain important information security requirements. The OIG’s findings are summarized below:
- Enrollment and issuance process – Controls were not established to ensure that all credentialing requirements were met and that employees who performed HSPD-12 functions were trained. No standard was in place for key roles to be held by different employees to ensure adequate separation of duties and to verify the integrity of PIV credentials.
- Deactivation of PIV cards – PIV cards were not deactivated in a timely manner for terminated personnel.
- Security over system access – Controls were lacking to ensure that management had implemented policies and procedures related to access to the PIV system and protection of sensitive information.
- Security management – The network firewall configuration policies did not comply with DHHS’ policies or guidelines. Security management controls, including patch management, antivirus management, and configuration management were not implemented on HSPD-12 workstations at any of the PIV card issuance facilities that were audited. DHHS permitted nongovernmental computers to access card management systems.
- Physical security – Physical security controls to prevent physical access by unauthorized personnel were not adequate for the PIV system.
- Web vulnerabilities – 17 categories on the PIV system Web portal test sites that were scanned contained vulnerabilities.
Health care providers, which are required to implement policies and procedures to protect the privacy and security of a patient’s protected health information under the Health Insurance Portability and Accountability Act (HIPAA) and comprehensive written information security plans to protect the personal information of residents of the Commonwealth of Massachusetts under the Massachusetts Attorney General’s Consumer Protection Statute, may want to conduct their own audits to determine whether they have any similar vulnerabilities in their security controls. As a starting point, health care providers may want to consider the following questions:
- Do you take steps to train new employees as well as existing employees and independent contractors, including temporary and contract employees who need to access protected health information or personal information, on HIPAA privacy and security and the elements of your comprehensive written information security plan? Do you take steps to ensure that protected health information and personal information are only accessed by those employees who need to access the information to perform their job functions?
- When an employee terminates his/her employment at your facility or is terminated from employment, do you have a system in place to ensure that the employee’s physical and electronic access to protected health information and personal information are blocked in a timely manner? Do you have a procedure to ensure that a terminated employee returns all records containing protected health information and personal information that may be in the employee’s possession, including information stored on laptops or other portable devices or media, or in files, records, work papers, etc.?
- Are there controls in place to ensure that the policies and procedures for access to the facility’s computer system protect access to protected health information and personal information?
- Have you implemented firewall security measures? Are non-facility computers able to connect to your facility’s computer system?
- Do you have physical security measures in place to ensure that only authorized staff has access to files containing protected health information and personal information?
- Do you conduct a risk assessment of the internal and external risks to the privacy and security of protected health information and personal information at least annually or whenever there is a material change in your business practices that may affect the privacy and security of records containing such information?
If you have any questions about privacy and security or would like assistance in reviewing your HIPAA policies and procedures or comprehensive written information security plan, please contact Rochelle H. Zapol, a partner in Prince Lobel’s Health Care Practice Group and the author of this alert. You can reach Rochelle at 617 456 8036 or firstname.lastname@example.org.