We wouldn't be so bold as to say "I told you so," but for months Redspin has been publicly calling on the ONC to beef up the security controls and measures in the "meaningful use" EHR incentive plan, the Federal Strategic Health IT Plan, and the HIPAA Security Rule itself. In fact just two weeks ago, we offered the following public comments on the Strategic Plan:

1. Inspector General Takes ONC to Task Over Lack of
General Security Controls
We wouldn’t be so bold as to say “I told you so,” but for months Redspin has been publicly calling on the ONC
to beef up the security controls and measures in the “meaningful use” EHR incentive plan, the Federal Strategic
Health IT Plan, and the HIPAA Security Rule itself. In fact just two weeks ago, we offered the following public
comments on the Strategic Plan:
“Next, the “security risk analysis” identified as Core Measure 15 should be defined as more than compliance
with the HIPAA security rule. Effective security is a process-driven cycle of regularly-scheduled assessments,
validation, remediation, and reporting that deliver continuous and durable improvements in information
security and help develop a culture of security awareness within organizations.” (Public Comments on Federal
Strategic Health IT Plan, 2011-2015)
Now this week, we learn the HHS Inspector General has audited HIT Standards, privacy protection under
HIPAA, and other security measures at CMS and the ONC. Their conclusion? “OIG found weaknesses in the
two HHS agencies entrusted with keeping sensitive patient records private and secure.” Such weaknesses
included lax oversight and insufficient standards for healthcare providers.
The CMS audit examined seven hospitals across the country and found 151 “vulnerabilities” in systems and
controls that are designed to safeguard electronic protected health information. Those lapses included 124 “high
impact vulnerabilities” such as unencrypted laptops and portable drives containing sensitive personal health
information, outdated antivirus software and patches, unsecured networks, and the failure to detect rogue
devices intruding on wireless networks. As a result, CMS had limited assurance that controls were in place and
operating as intended to protect electronic protected health information, thereby leaving ePHI vulnerable to
attack and compromise.”
This is exactly why Redspins’ HIPAA Risk Analysis and Security Assessments go well beyond the
requirements laid out by the CMS and ONC. And why hospitals, health systems and large provider practices
should carefully consider which vendor they select to perform their assessment service. This is not “check the
box” type of audit work. This is not something you can entrust to one-man consulting shops. There are serious
implications to leaving ePHI vulnerable to attack and compromise. Sure the ONC should be more specific in
regard to specific preventative controls or standards in the regulations. But whether stated in the regulations or
not, you as a hospital or business associate bear the ultimate responsibility for data breach. We urge you to hold
any outside security assessment vendor (including Redspin) to a higher standard. Don’t settle for competence;
seek out excellence.
Written by: Dan Berger
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM