The GAO reviewed eight federal agencies’ policies and procedures regarding data breaches. In general, the report concludes the departments generally had the appropriate policies in place, but they are inconsistently implemented.
Within CMS specifically, of the 4,172 data breach incidents reported in 2012, the GAO analyzed the agency’s response to 60. The review found CMS consistently reported these incidents to HHS’ Computer Security Incident Response Center. However, CMS generally did not document either the risk levels for the incidents or the rationale for their risk determinations, and often did not document the number of people affected, all government-endorsed best practices.
The GAO recommends HHS require documentation of the risk assessment performed following data breaches, including the reasoning behind risk determinations; consistently document the number of people affected by each incident and require internal reviews to identify lessons learned to improve the agency’s breach response.
HHS concurred with the GAO’s recommendations for improving the data breach response process.
More Articles on Data Breaches:
Stolen Laptop Compromises 12,000 Patients’ Information at New Mexico Practice
Bill Would Mandate Quick HIX Data Breach Disclosure
North Carolina Medicaid Mix-Up Exposes 49k Children’s Information
