GAO report examines cybersecurity under HHS programs

On September 26, 2016, the U.S. Government Accountability Office (GAO) publicly released a report entitled “Electronic Heath Information: HHS Needs to Strengthen Security and Privacy Guidance and Oversight.”  The report examines rapid increases from 2009 through 2015 in breaches of personal health information, culminating in 56 major breaches affecting 113,181,615 health records in 2015.  GAO notes evolving threats to IT security posed by cybercriminals, longstanding HIPAA and HITECH IT security requirements, and the February 2014 “Framework for Improving Critical Infrastructure Cybersecurity” adopted by the National Institute of Standards and Technology (NIST) following an Executive Order from President Obama.  GAO concludes that HHS guidance on IT security has not yet sufficiently addressed many key controls in the NIST framework.  HHS has agreed to update its guidance accordingly.  These updates will have an impact on HIPAA covered entities and business associates.  The GAO report is available here: