- Adequately addressing the industry’s current cybersecurity threats is a key aspect to one of the major management and performance challenges for HHS, the Office of Inspector General determined in its annual report.
OIG’s 2017 Top Management and Performance Challenges for HHS found that the agency must protect its data and systems, while also “fostering a culture of cybersecurity beyond HHS.”
“Cybersecurity incidents and breaches pose a significant risk to the confidentiality, integrity, and availability of sensitive data,” report authors wrote. “This could cause a myriad of problems including impeding HHS’s ability to offer essential programs and services, threatening major elements of our country’s critical infrastructure, and placing the health and safety of patients at risk.”
“The Department must ensure that it takes appropriate actions to protect all HHS data and systems from cybersecurity threats,” OIG added, saying the agency must also build a cybersecurity culture with its partners and stakeholders.
The other top issues OIG found were the following:
- Ensuring program integrity in Medicare
- Ensuring program integrity in Medicaid
- Curbing the opioid epidemic
- Improving care for vulnerable populations
- Ensuring integrity in managed care and other programs delivered through private insurers
- Improving financial and administrative management and reducing improper payments
- Protecting the integrity of public health and human services grants
- Ensuring the safety of food, drugs, and medical devices
- Ensuring program integrity and quality in programs serving American Indian and Alaska Native populations
There must be a continuous effort for HHS to protect its data and information systems, an especially critical aspect as the agency is “under constant attack,” OIG stressed. Citing previous OIG investigations, the report pointed out that there have been inadequacies in access controls, patch management, configuration management, encryption of data, and website security.
“Such weaknesses could affect the Department’s ability to protect against unauthorized access to sensitive information,” report authors explained. “Ensuring the protection of the confidentiality, integrity, and availability of participants’ personal information—and the systems the initiatives rely on—is paramount.”
The culture of cybersecurity can be instilled in HHS partners and stakeholders through policy and partnerships, according to the report. For example, FDA has opportunities that promote medical device security and CMS offers ways for design and operation program participants to improve cybersecurity.
“HHS is the Sector-Specific Agency for the Healthcare and Public Health Sector (HPH) and the Co-Sector-Specific Agency for the Food and Agriculture Sector,” OIG explained. “In those roles, HHS is tasked with, among other things, coordinating with Federal partners, collaborating with critical infrastructure owners and operators, and offering support in identifying vulnerabilities and mitigating incidents.”
The Health Care Industry Cybersecurity Task Force Report also discussed how numerous sectors need to enhance cybersecurity measures and understand that available infrastructure and resources are diverse. Collaboration will help prepare for, detect, and respond to evolving cybersecurity threats, OIG noted.
Steps have been taken in the right direction for both areas, the report pointed out. Cybersecurity threat information sharing and developing better risk assessment frameworks were at the center of the 2016 Memorandum of Understanding between FDA and the National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety, and Security Consortium.
HHS also developed the Healthcare Cybersecurity and Communications Integration Center (HCCIC).
“To further foster a culture of cybersecurity among partners and stakeholders to protect beneficiaries, HHS must use available policy levers to address Health IT security issues,” OIG explained. “Ongoing work will continue to consider security issues related to networked medical devices, and future work may consider additional security issues that arise from the continuing expansion of the Internet of Things.”
While HHS has also made progress in its data management and protecting information systems, the agency must continue to mitigate the risk of unauthorized access and prevent sensitive information from being stolen.
HHS relies on aging or outdated technology in certain mission areas, which can create a great risk to those systems if compromised, OIG pointed out.
“As the Department updates or acquires new technology, HHS must also ensure that it aligns with technology priorities defined in legislation and administration policy,” report authors stated. “This includes the full implementation of the Federal Information Technology Acquisition Reform Act, modernization of legacy systems, and adoption of modern IT management practices.”
Last year’s report addressing top HHS challenges was greatly similar, with OIG stressing the need for HHS to focus on the meaningful and secure exchange and use of electronic information. Having current health IT and a secure way to exchange health data is critical for numerous programs, the previous report explained.
“HHS has made great strides in developing a nationwide health IT infrastructure that supports the appropriate flow of complete, accurate, and timely information,” OIG wrote. “As of September 2016, more than 599,000 eligible professionals, eligible hospitals, and critical access hospitals were actively registered in the EHR incentive programs.”