OIG Calls On HRSA to Improve Data Security of Organ Transplant Network

September 06, 2022 - UPDATED 9/7/2022 - This article has been updated to include a statement provided by the United Network for Organ Sharing (UNOS).

The Health Resources and Services Administration (HRSA), under HHS, has room for improvement when it comes to the data security and oversight of the Organ Procurement and Transplantation Network (OPTN), an Office of Inspector General (OIG) report found.

The OPTN is a public-private partnership under which HRSA is able to allocate and distribute donor organs to individuals in need. The United Network for Organ Sharing (UNOS) is responsible for managing the OPTN under contract with the federal government.

OIG reviewed numerous IT controls that UNOS had implemented for the OPTN, including risk assessments, access controls, vulnerability assessments, and configuration management. OIG’s analysis found that, in recent years, HRSA had largely ensured that the proper data security controls were in place to protect the confidentiality and integrity of the OPTN’s data in alignment with federal requirements.

“However, we identified areas for which HRSA could improve its oversight of UNOS to ensure that all Federal cybersecurity requirements are being met in a timely manner,” OIG stated.

READ MORE: 5 Security Vulnerabilities Found in Contec Vital Signs Patient Monitors

“We noted that HRSA could improve its oversight of UNOS to ensure that UNOS performs adequate reviews of local user access of the OPTN, and that certain key cybersecurity policies and procedures were finalized and in place.”

Prior to 2018, the OPTN did not have cybersecurity standards at all, the report noted. HRSA officials told OIG that “because HRSA did not believe it could compel compliance with these requirements before 2018, it conducted only limited oversight of the OPTN’s cybersecurity.”

But in 2018, HRSA modified its contract with UNOS to account for additional security measures, including requiring it to follow National Institute of Standards and Technology (NIST) and Federal Information Systems Modernization Act (FISMA) cybersecurity standards.

This update “allowed HRSA to increase its cybersecurity oversight of OPTN to include monitoring compliance with FISMA and NIST, in addition to the annual security assessments it said were being performed,” the report noted.

“HRSA said that it begins its security assessments by reviewing all controls that require annual testing. Then it breaks up the remaining controls by thirds, grouping families with overlap and responsible parties together. In addition, HRSA tracks the selections in a spreadsheet to ensure that it tests all the annual controls annually and all the others at least every 3 years.”

READ MORE: Biggest Healthcare Data Breaches Reported This Year, So Far

As of 2020, HRSA began using a third party to conduct vulnerability scans of the OPTN and provided evidence that it follows up on the security issues identified by the scans.

Although OIG found the security controls implemented for OPTN by UNOS to be largely satisfactory, the report noted some significant areas in which HRSA could improve its oversight of UNOS. As the cost and frequency of healthcare data breaches increase, it is crucial that organizations that handle sensitive data employ strict security controls.

“HRSA could improve its oversight of UNOS to ensure that UNOS performs adequate reviews of local user access of the OPTN, and that certain key cybersecurity policies and procedures were finalized and in place,” the report explained.

“In addition, HRSA lacked adequate oversight procedures for UNOS to ensure that all Federal cybersecurity requirements were being met in a timely and effective manner.”

The auditors found that UNOS had numerous key controls that were either in draft or did not exist at all. For example, policies and procedures surrounding access controls were still going through the approval process at the time OIG’s report was published.

READ MORE: Democratic Leaders Question Meta on Data Privacy Practices

Additionally, UNOS did not have policies surrounding system monitoring, and its risk assessment policies were expected to be finalized by the third quarter of 2022.

“Without finalized, written policies and procedures, there is a high risk that UNOS staff may not fully understand or perform as intended their roles and responsibilities as they pertain to certain cybersecurity controls, or that the OPTN will not comply with NIST controls as required by the FISMA,” OIG stated.

“A lack of finalized, written policies and procedures could result in essential cybersecurity controls not being implemented properly or at all. Some of the controls assist in the timely detection of a cybersecurity attack or verify that access is restricted and the integrity of the organ matching process is maintained. In addition, because of the critical role of the OPTN and the sensitive data it contains, a security breach could have significant consequences for vulnerable patients.”

OIG recommended that HRSA develop enhanced oversight controls to ensure that UNOS complies with federal security requirements and implements key security measures in a timely manner. After learning of OIG’s findings, HRSA hired a federal employee to serve as the OPTN Information System Security Officer (ISSO). Additionally, HRSA said it took action to finalize the policies that were in draft at the time of publication.

“We are encouraged that HRSA has taken steps to improve its oversight controls and procedures of the OPTN and the OPTN contractor,” OIG concluded.

UNOS provided the following statement to HealthITSecurity: 

In their new report, the Office of the Inspector General (OIG) found the OPTN security controls “protect the confidentiality, integrity, and availability of transplant data in accordance with Federal requirements.” This OIG audit of the computer systems operated by UNOS on behalf of the OPTN began in June of 2021 and concluded in December of 2021.

UNOS appreciates OIG’s confirmation of the strength of our cybersecurity controls, as well as their brief recommendations resulting from the audit. One recommendation was related to the completion of information security policies and the other was a request to increase the frequency of OPTN user audits as a way to bolster the existing, effective controls protecting the system.

The OIG recommendation to establish additional cybersecurity policies and procedures identified in the report were already underway prior to the audit and were delivered to HRSA in February of 2022. 

Based both on the OIG’s suggestion and our ongoing focus on continuous improvement, an increased schedule for OPTN user audits was adopted early in 2022. Work continues on associated system changes in support of this new quarterly review process. These system changes are anticipated to take effect in early 2023.

Based on their comprehensive audit, OIG’s findings show a more fact-based picture of our IT system when compared to other recent analyses, and we look forward to continuing to work with HRSA, OIG and others to maintain and improve our safe, efficient and effective IT system.