HCFA, contractors putting medical records at risk
Lax oversight of contractors has put sensitive information about Medicare beneficiaries at risk, according to a review of the Health Care Financing Administration's computer system. "Audit after audit, even the most recent, continue to reveal significant computer security problems at HCFA and its Medicare contractors-vulnerabilities that continue to place personally identifiable medical information at risk of unauthorized access, disclosures, misuse or destruction," Rep. James Greenwood, R-Pa., said at a Wednesday hearing on the security of HCFA's computer systems. The hearing was part of an ongoing review of the security of government computer systems by the House Energy and Commerce Oversight and Investigations Subcommittee. In its 2000 financial audit, the Department of Health and Human Services inspector general found 124 security weaknesses in Medicare's claims processing system--115 at contractor sites and nine at HCFA. The agency relies on 50 contractors-mostly Blue Cross and Blue Shield insurance plans-to process more than 890 million Medicare claims annually. Such companies as AT&T and IBM maintain the network linking HCFA and insurers. HHS Assistant Inspector General Joseph Vengrin told the committee that HCFA lacked a comprehensive plan to monitor the security of its contractors. Instead, the agency typically relies on contractors to assess their own performance. Additionally, HCFA's contracts rarely, if ever, make mention of security expectations, according to Michael Newman, president of En Garde Systems Inc., a consulting firm hired by HCFA to analyze its security. More than two years ago, En Garde made a series of recommendations urging the agency to address some of its security issues and embark on an ambitious round of testing. "On several occasions, we witnessed HCFA contractors argue against improving security, stating that changes HCFA asked for were difficult or impossible when, in fact, they were not," he said. Despite the problems, Jared Adair, the agency's deputy chief information officer, noted that HCFA has never had a breach of security. Adair added that the agency has started meeting with contractors on a regular basis to try and tackle some of these security issues. The point was not lost on Greenwood, who commended the agency for being more proactive than other federal agencies. Still, he plans to hold the agency's feet to the fire. "HCFA must demand that its contractors submit independent testing of their systems," he said.