- The Office of Inspector General (OIG) plans to audit the Department of Health and Human Services (HHS) information security controls to track drug prescription reimbursements, according to the 2017 OIG work plan.
HHS will also be subject to penetration testing “to determine HHS’s and its operating division’s network security posture and determine whether these networks and applications are susceptible to hackers.”
OIG will determine whether HHS applications that track the disbursement of prescription drugs meet Federal information security standards. Specifically, it will focus on access and physical controls, but will also review application controls and assess network security, database security, and the security of web-facing applications.
In terms of penetration testing, OIG explained that they can help identify how unauthorized parties may access a system using varied tools and techniques.
“Computer hacker groups are increasingly active in attempts to compromise government systems, release sensitive data to the public, or use such data to commit fraud,” the report’s authors wrote.
HHS’s compliance with the Federal Information Security Modernization Act (FISMA) of 2014 will also be reviewed.
FISMA requires “that agencies and their contractors maintain programs that provide adequate security for all information collected, processed, transmitted, stored, or disseminated in general support systems and major applications,” according to OIG.
Health IT and the electronic exchange of information are becoming increasingly important to the US healthcare industry, OIG maintained. Technologies such as EHRs can bring forth “opportunities for improved patient care, more efficient practice management, and improved overall public health.”
“OIG has identified the meaningful and secure exchange and use of electronic information and health IT as a top management challenge facing HHS,” OIG stated. “Going forward, OIG’s planning efforts will consider the significant challenges that exist with respect to health IT adoption; meaningful use; and interoperability across providers, across HHS, and between providers and patients.”
In terms of information security and privacy, OIG added that it plans to expand its portfolio, and will also ensure that it includes issues that arise from the continuing expansion of the Internet of Things.
OIG found several instances this past year where information security controls were lacking in organizations that handle medical information. Penetration testing was often used to determine how facilities potentially needed to improve their web application or network security controls.
For example, while New York did implement health insurance exchange data security measures in its web site and database, improvements must still be made, according to an OIG report.
OIG reviewed the state’s health insurance exchange web site and the state database, and found that New York did not always remain compliant with Federal requirements.
“Our review of applicable Federal requirements included reviewing certain Centers for Medicare & Medicaid Services (CMS) requirements in the Minimum Acceptable Risk Standards for Exchanges Document Suite,” OIG wrote. “These requirements and standards include those related to security plans and risk assessments, vulnerability scanning and penetration testing, patch management and flaw remediation, Plan of Action and Milestones, and incident response.”
Similarly, OIG discovered data security gaps in Medicare administrative contractors (MACs), which are private healthcare insurers that enter into contracts with the Centers for Medicare and Medicaid Services (CMS) to process Medicare Part A and Part B claims and Durable Medical Equipment claims in specific locations.
Inventory processes in health IT systems were not implemented according to CMS requirements, according to OIG, and system security configurations did abide by CMS requirements. Security vulnerabilities were also uncovered using external network penetration testing.
“Without a comprehensive program for periodically testing and monitoring information security controls, management has no assurance that appropriate safeguards are in place to mitigate identified risks,” the report’s authors explained.