By Julie Appleby, USA TODAY
Medical and financial information gathered on millions of Americans by
Medicare, Medicaid and other government programs is vulnerable to
thieves or pranksters because of inadequate computer security, federal
"Significant weaknesses in information security controls" increase the
risk from those who would "inadvertently or deliberately disclose,
modify or destroy" sensitive data, the U.S. Government Accountability
The soon-to-be-released GAO review focuses on the Department of
Health and Human Services (HHS), whose agencies use computer systems to pay
more than a billion Medicare claims worth more than $290 billion each year,
track medical research at the National Institutes of Health and manage Food
and Drug Administration programs.
"Instead of firewalls to safeguard sensitive data, we have Swiss
cheese," says Sen. Chuck Grassley, R-Iowa, chairman of the Senate
Finance Committee, which requested the report. Grassley's office says
Medicare keeps a variety of information on beneficiaries, including
Social Security numbers, addresses, birth dates and medical
In a written response in the report, HHS officials said
investigators do "not provide an accurate or complete appraisal" of its
security programs and fail to note a 2005 effort that resulted in a
reduction of 57% in reportable deficiencies.
"The frequent use of the word 'significant' to describe control
weaknesses ... evokes a negative connotation that is not reflective of the
progress or current state of HHS' information security program," the
The review comes as the federal government is pushing computer
technology as key to improving medical quality and slowing costs. In
fiscal 2005, HHS will spend nearly $5 billion on information
technology, the report says, much of it to help process Medicare
payments to doctors and hospitals.
Investigators for the GAO reviewed management and audit reports from
2004 and 2005 that outline security practices at 13 HHS divisions and
.Anti-virus software not installed or up to date.
.Lack of adequate control over computer passwords.
.Employees and contractors serving without background checks.
.Inadequate physical controls to prevent spying or theft, such
as non-working surveillance cameras and unrestricted access to a data
"Fundamentally, it's an organization that is behind in making security
part of its regular operations," says Alan Paller, who has seen the
report but was not involved in writing it. Paller is research director
at security firm the SANS Institute in Bethesda, Md. "It's very
dangerous for health care data."
Find this article at: