My grandfather once told me, “Believe half of what you see, a third of what you hear and 10 percent of what you read.” He of course was referring to what we all know…things are not always what they seem and a smart man seeks the truth, the whole truth.
This week we witnessed another example of this as the Assistant Inspector General (IG)of the Department of Health and Human Services (HHS) released its report: The Office For Civil Rights Did Not Meet All Of Its Oversight Requirements In Its Oversight And Enforcement Of The Health Insurance Portability And Accountability Act Security Rule. (We’ll refrain from commenting on the length of the title…really?)
This report on face value paints a very negative picture of the Office for Civil Right’s (OCR’s) performance and registers another mark against HHS in information security. But wait, this report looks at information collected in 2010, just after OCR assumed responsibility for the Security Rule. Yet it was just published last month, three years later.
The first observation I would make is that it’s likely whatever the situation was in 2010 is not representative of today. The second observation I would make is the timing of these reports is lousy and hardly useful. Putting that aside, let’s take a closer look at what the IG had to say. In fairness I think it is only right to acknowledge that the IG that released this report is not the IG who authorized the audit.
The report details several shortcomings, the first of which was that OCR had not met its responsibility to conduct audits of covered entities as directed by the HITECH Act. Well, OK, in 2010 that was true. They had not yet begun conducting audits, but they had begun developing the audit program. They did begin audits in 2011, barely. It was December actually, but who is keeping track? And they completed their pilot year in December of 2012. We haven’t seen any audits in 2013 and probably won’t until summer of 2014 according to OCR's latest communication, but they will be auditing again.
So is it fair to say they haven’t met their responsibility today. I guess you could say that if you were expecting they were going to launch an audit program immediately in 2009 without any preparation, or if there was some requirement for X number of audits per year. The first scenario is unrealistic and certainly not what the industry would want and the second doesn’t exist. So what of the money issue? HITECH essentially put OCR in a position of having to raise its own budget for enforcement activities by levying fines, but then tied their hands by requiring they first resort to “informal resolution” options before using fines. That makes it a little hard to raise revenues when you can’t fine. That of course was resolved this year with changes to enforcement in the Omnibus Rule. So the first claim is only partly believable.
The second complaint was that OCR had not followed investigative processes consistently and failed to maintain relevant information to those investigations in official files. This of course, if true, would be very troubling and highly uncharacteristic of experienced civil rights investigators and lawyers in general. Again we are talking about 2010; right after OCR was given responsibility for oversight of the security rule.
Could it be that some of the inconsistency was due to or perceived as the initiation of this program? I don’t know for sure, but my gut tells me there is probably more to this claim than what is presented here. Investigations must be conducted properly and consistently and the evidence of non-compliance accurately documented and retained if we are going to hold people accountable. Given the careful and methodical process OCR has followed conducting its investigations (some would say slow) it is hard to believe that this is, if it ever was accurate, not corrected by now. As for the second claim, it is only partly believable.
The next claim is that OCR had not complied with FISMA. I doubt that anyone would argue that the OCRs systems maintaining information regarding their complaint and breach resolution activities should be protected properly. The only question that matters here is whether or not there was a directive within the Department of HHS prior to this audit directing OCR to meet FISMA compliance. Compliance begins at the department level, is then directed to elements of the department, and carried out by the operating units responsible.
The report is pretty clear that the department had an established policy regarding FISMA compliance; it existed prior to the audit and applied to OCR. The report also points out that there was some transference of systems/data from CMS, but does not mention if the legacy systems were accredited, and obviously makes it apparent that this transfer was known to the department. The reason I make this point is because in 2010 OCR, to my knowledge, did not have any dedicated information security personnel, so who was supposed to carry out this accreditation? OCR is resident in the HHS headquarters building so there is a good chance the HHS CIO is aware of their IT environment, perhaps even supports it. Why then did they not make sure these systems were accredited properly? The third claim is believable.
As you can tell I’m not a fan of reports that come out years after an audit has occurred, which if the reader does not carefully pay attention, may believe that this is how things are today. Secondly, my grandfather, who was one of the most important influencers in my life, taught me the important lesson of not necessarily believing everything at face value. In fairness to the IG I do believe there are some truths in this audit report and some concerning issues, but I also believe that there is more here than meets the eye. OCR has come a long way from 2009/10 in its activities and maturity in information security, and it would be blatantly unfair to paint them TODAY with this brush. A better question, why did it take three years to publish such a simple report?