GAO Calls Out HIPAA As Inadequate

By: Arieanna Schweber | 10/7/2016

The Government Accountability Office (GAO) recently issued a report on the state of electronic health information. Specifically, they addressed the ineffectiveness of current guidance to address security risks. The available guidance is meant to help healthcare organizations comply with HIPAA requirements.

Current data security oversight in healthcare is not working. In the report, the GAO cites growing data breach incidents as proof of this shortfall. HIPAA requirements are missing critical elements, they say. These include measures such as risk responses and other tailored implementations of security controls, as outlined in the National Institute of Standards and Technology (NIST) cybersecurity framework. The report also notes that HHS compliance oversight is falling behind. Violations can take years to resolve, and there are no follow-up procedures in place to ensure that security has improved as a result of its audit program.

The GAO recommends that the HHS:

  • update its guidance for protecting electronic health information to address key security elements
  • improve the technical assistance it provides
  • follow up on corrective actions and on gauging the effectiveness of the audit program
  • establish and implement policies and procedures for sharing the results of investigations and audits between OCR and CMS. This will help ensure that covered entities and business associates are in compliance with HIPAA and the HITECH Act

In the last couple of years, the HHS has been running an accelerated compliance enforcement program, by investigating smaller breaches and shifting focus toward the protection of ePHI. It remains to be seen if this report will prompt further operational changes.

Absolute DDS for Healthcare provides visibility for your fleet of devices, as well as the data they contain, with alerts for events and activities that could be precursors to a security incident. With insight from Absolute DDS reporting and alerts, you can prevent or respond to data breaches, remotely deleting data or locking down devices, and prove compliance if needed. With full reporting capabilities, you can prove that your data remained protected, even when it was physically outside your control. Absolute DDS for Healthcare is a comprehensive on boarding program, which pairs our highest level of endpoint security with expert forensic support to respond to and contain security incidents. Learn more at

Financial Services