By Julie Appleby, USA TODAY
Medical and financial information gathered on millions of Americans by Medicare, Medicaid and other government programs is vulnerable to thieves or pranksters because of inadequate computer security, federal investigators say.
"Significant weaknesses in information security controls" increase the risk from those who would "inadvertently or deliberately disclose, modify or destroy" sensitive data, the U.S. Government Accountability Office says.
The soon-to-be-released GAO review focuses on the Department of Health and Human Services (HHS), whose agencies use computer systems to pay more than a billion Medicare claims worth more than $290 billion each year, track medical research at the National Institutes of Health and manage Food and Drug Administration programs.
"Instead of firewalls to safeguard sensitive data, we have Swiss cheese," says Sen. Chuck Grassley, R-Iowa, chairman of the Senate Finance Committee, which requested the report. Grassley's office says Medicare keeps a variety of information on beneficiaries, including Social Security numbers, addresses, birth dates and medical conditions.
In a written response in the report, HHS officials said investigators do "not provide an accurate or complete appraisal" of its security programs and fail to note a 2005 effort that resulted in a reduction of 57% in reportable deficiencies.
"The frequent use of the word 'significant' to describe control weaknesses ... evokes a negative connotation that is not reflective of the progress or current state of HHS' information security program," the department said.
The review comes as the federal government is pushing computer technology as key to improving medical quality and slowing costs. In fiscal 2005, HHS will spend nearly $5 billion on information technology, the report says, much of it to help process Medicare payments to doctors and hospitals.
Investigators for the GAO reviewed management and audit reports from2004 and 2005 that outline security practices at 13 HHS divisions and found:
.Anti-virus software not installed or up to date.
.Lack of adequate control over computer passwords.
.Employees and contractors serving without background checks.
.Inadequate physical controls to prevent spying or theft, such as non-working surveillance cameras and unrestricted access to a data center.
"Fundamentally, it's an organization that is behind in making security part of its regular operations," says Alan Paller, who has seen the report but was not involved in writing it. Paller is research director at security firm the SANS Institute in Bethesda, Md. "It's very dangerous for health care data."
Find this article at: