HHS auditors find cybersecurity holes at hospitals

May 20, 2011
Cyber Security, FedCyber Wire
No Comment

via Fierce Government IT

An audit from the Health and Human Services inspector general questions the ability of private sector hospitals to protect health information in electronic form.

Under the Health Insurance Portability and Accountability Act, more commonly known as HIPAA, hospitals have a duty to protect the confidentiality and integrity of health information. Auditors examined seven hospitals scattered across the United States and in a report dated May 16, say they found 151 security vulnerabilities, 124 of which they categorize as high impact.

The vast majority of high impact vulnerabilities–106 of them–had to do with wireless access safeguards. For example, four hospitals used Wired Equivalent Privacy to protect for wireless networks, despite WEP being widely discredited as an encryption standard.

Three hospitals had rogue access points, and three hospitals also had no firewall between the wired and wireless networks. In all, five of the seven examined hospitals had wireless-related vulnerabilities, the report says.

All hospitals had some type of integrity control vulnerability, including uninstalled critical operating system patches, outdated antivirus applications, or even operating systems no longer supported by the manufacturer.

Five hospitals had an audit control vulnerability, including not routinely viewing audit logs.

In the official response to the audit, Georgina Verdugo, director of the HHS office for civil rights – which enforces HIPAA – cautioned against drawing conclusions of all U.S. hospitals based on the sample in the audit. She also said that the office has an ongoing compliance review underway.

Story here.