GAO: HHS should update its guidance for protecting electronic health information

Sep 27, 2016 - 04:04 PM

The Department of Health and Human Services has established guidance for use by covered entities in their efforts to comply with Health Insurance Portability and Accountability Act requirements regarding the privacy and security of protected health information, but it does not address all elements called for by other federal cybersecurity guidance, according to a new report by the Government Accountability Office. “Specifically, HHS's guidance does not address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology to their specific needs,” GAO said. “Such controls include developing risk responses, among others. Further, covered entities and business associates have been challenged to comply with HHS requirements for risk assessment and management. Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise.” The report recommends that HHS update its guidance for protecting electronic health information to address key security elements; improve its technical assistance to covered entities; follow up on corrective actions; and establish metrics for gauging the effectiveness of its audit program. HHS generally concurred with the recommendations and stated it would take actions to implement them.

Related News Articles

Headline
AHA recommends federal actions to address opioid crisis
Eliminating the Medicaid Institutions for Mental Disease exclusion for adults under age 65 would help improve access to treatment for those with severe or…
Headline
HHS announces additional hurricane waivers, resources
Health and Human Services Secretary Tom Price Friday declared public health emergencies in Georgia and South Carolina due to Hurricane Irma, and waived or…
Headline
HHS eases certain provider requirements due to hurricane emergencies
Health and Human Services Secretary Tom Price yesterday declared a public health emergency in Florida due to Hurricane Irma, and waived or modified certain…
Headline
Abbott updating pacemaker firmware to correct cybersecurity vulnerabilities
Abbott is updating the firmware for all St. Jude Medical radio frequency-enabled implantable pacemaker devices to address cybersecurity vulnerabilities that…
Headline
CMS issues guidance on virtual credit cards, transaction fees
The Centers for Medicare & Medicaid Services recently issued several Health Insurance Portability and Accountability Act FAQs on virtual credit cards and…
Headline
Organizations alerted to imaging, printer cyber vulnerabilities
Siemens has identified four vulnerabilities in molecular imaging products running Windows 7 that could allow an attacker to remotely execute arbitrary code,…