Computer Security at HHS Inadequate, GAO Says
Medical and financial information collected by Medicaid, Medicare and other HHS programs is vulnerable to theft or disclosure because of insufficient computer security at the agency, according to a Government Accountability Office report, USA Today reports. The report says, "Significant weaknesses in information security controls" increase the vulnerability of the data to individuals or groups who would "inadvertently or deliberately disclose, modify or destroy" the data.
HHS uses computer systems to process Medicare claims, track NIH research and manage FDA programs, USA Today reports. The report, which was requested by the Senate Finance Committee, also finds instances of:
- Anti-virus software that is not installed or up-to-date;
- Computer passwords that are not properly controlled;
- Employees and contractors who are working without background checks; and
- A lack of physical controls, including inoperable surveillance cameras and unrestricted access to a data center.
Senate Finance Committee Chair Chuck Grassley (R-Iowa) said, "Instead of firewalls to safeguard sensitive data, we have Swiss cheese." Grassley's office said Medicare has a variety of data on beneficiaries, including Social Security numbers, addresses, birth dates and medical conditions.
HHS officials issued a written response to the reports, saying GAO investigators do "not provide an accurate or complete appraisal" of the agency's security programs. The report fails to note a 57% reduction in reportable deficiencies that resulted from a 2005 effort, HHS said.
"The frequent use of the word 'significant' to describe control weaknesses ... evokes a negative connotation that is not reflective of the progress or current state of HHS' information security program," the agency's response says.
Alan Paller, research director at the SANS Institute, said, "Fundamentally, [HHS is] an organization that is behind in making security part of its regular operations. It's very dangerous for health care" (Appleby, USA Today, 3/23).