The Government Accountability Office (GAO) noted in a March 28, 2019 letter, sent from Gene L. Dodaro, Comptroller General of the United States to U.S. Department of Health and Human Services Secretary Alex M. Azar II, that among 54 priority recommendations are four critical health information technology and cybersecurity recommendations that have yet to be implemented.
The letter noted that, “serious cybersecurity threats to the infrastructure continue to grow and represent a significant national security challenge. Additionally, recent data breaches have highlighted the importance of ensuring the security of health information, including Medicare beneficiary data. Such data are created, stored, and used by a wide variety of entities, such as health care providers, insurance companies, financial institutions, researchers, and others. The four open priority recommendations within this area outline steps to ensure HHS can effectively monitor the effect of electronic health record (EHR) programs and progress made toward goals, encourage adoption of important cybersecurity processes and procedures among healthcare entities, protect Medicare beneficiary data accessed by external entities, and ensure progress is made toward the implementation of information technology (IT) enhancements needed to establish the electronic public health situation awareness network.”
An example noted in the letter from the GAO, “We recommended in March 2018 that the Administrator of the Centers for Medicare & Medicaid Services develop processes and procedures to ensure that qualified entities and researchers have implemented information security controls effectively throughout their agreements with CMS. CMS will be engaging a contractor to review the current data security framework and make recommendations on specific controls and implementation requirements that would be appropriate for those entities. To fully implement this recommendation, CMS needs to develop appropriate processes and procedures for implementing these controls.”