Governance & Risk Management , Privacy , Risk Assessments
Coast Guard Health Data Privacy Is Suspect
IG: Personnel, Kin May Be Exposed to Loss of Privacy, ID TheftThe United States Coast Guard faces challenges in protecting the private information found in medical records of its personnel and their families, a Department of Homeland Security inspector general report says.
See Also: The Biggest & Boldest Data Breaches & Insider Threats of 2023
Sondra McCauley, assistant inspector general for IT audits, writes in the report titled United States Coast Guard Safeguards for Protected Health Information Need Improvement that the Coast Guard does not maintain consistent instructions for managing and securing health records. "Without updated instructions for records retention and disposal, USCG may expose personnel and their families to loss of privacy and identity theft," she says.
McCauley points out that Coast Guard clinics have not established a process to periodically review physical security to mitigate risks to private data. In addition, she says the Coast Guard, part of DHS, does not have formal communications such as regular meetings between its privacy and HIPAA officers to improve privacy oversight and incident reporting. "Lacking such coordination, USCG is limiting its ability to assess risks and mitigate potential for privacy or HIPAA breaches," she says.
Ariel Silverstone, a veteran chief information security officer who has dealt with HIPAA compliance, suggests the privacy challenges the Coast Guard faces is due, in part, by the failure of anyone taking ownership. "It appears that no one functionary, even at the assistant commandant level, is responsible for privacy," Silverstone says. "The privacy structure and the clear political obstacles at USCG have, and will continue to, create an untenable situation. The privacy function for HIPAA should be either dotted-line to the agency chief privacy officer or have the privacy elements of HIPAA moved to that office in full."
The IG made a series of recommendations, including having the Coast Guard vice commandant establish a formal mechanism to ensure communications between the privacy officer and the HIPAA privacy and security official to enhance privacy oversight and reporting. The IG also recommended the vice commandant establish milestones to ensure the Coast Guard has contingency plans in place to safeguard privacy in event of a disaster or emergency and to periodically review steps to mitigate physical risks at clinics.
Rear Admiral Todd Sokalzuk, Coast Guard assistant commandant for resources and chief financial officer, responded that the Coast Guard concurs with the recommendations and will implement them.