An agency within the Department of Health and Human Services was recently audited by the Office of the Inspector General (OIG), and the resulting report found that it did not "fully implement and monitor" security controls. The report, posted by FierceHealthIT, broke down the areas of inefficiency into six different categories, including IT asset inventory, patch and antivirus management, as well as logical access, encryption and USB port control access.
The review specifically concerned controls that have been in effect for the Health Resources and Services Administration (HRSA) since 2013. Because the HRSA works with sensitive information related to the health industry, it needs controls that allow it to effectively operate while meeting IT needs.
Overall, findings seem to have been negative. Encryption policies were not applied consistently, the antivirus status of HRSA systems was not monitored and there were no policies in place to address USB port security. Considering the different entities the HRSA is expected to work with, the lack of security controls suggests possible risks during their normal operation. As a result of the review, the OIG suggested 18 recommendations, 17 of which the HRSA agreed to.
On its own official website, the HRSA recommends that health systems follow HIPAA rules for instituting safeguards and addressing concerns. These include both physical safeguards, like workstation and device controls, and technical safeguards that pertain more to policies, like authentication, audit controls and Protected Health Information (PHI) integrity.
Even organizations intended to enforce health IT rules are still subject to faults and errors. Regulatory compliance consulting can apply to government entities that need healthcare IT consulting assistance to successfully understand what they need to fix. An audit conducted by these outside experts could save these groups the trouble of an official one.