- The HHS OIG has formed a multidisciplinary cybersecurity team composed of auditors, evaluators, investigators, and attorneys from various HHS agencies to help protect department data and systems and foster cybersecurity best practices among partners and stakeholders.
The team includes representatives from the following HHS agencies:
- Office of Audit Services, Cybersecurity and Information Technology Audit Division, which carries out cybersecurity and IT audits of HHS programs, grantees, and contractors
- Office of Evaluation and Inspections, which conducts broad evaluations of HHS cybersecurity-related programs
- Office of Investigations, Computer Crimes Unit, which conducts criminal investigations into allegations and incidents that affect HHS programs and operations
- Office of Counsel, which providers legal support for all OIG cybersecurity work
“The cybersecurity team aims to positively impact the cybersecurity culture within HHS by identifying and making actionable recommendations to address cybersecurity vulnerabilities and threats,” OIG explained.
The team has a three-pronged approach to protecting HHS systems and data, explained OIG IT Audit Director Jarvis Rodgers in a recent video. This approach includes IT controls, risk management, and resiliency, which includes incident response procedures and the ability to recover from a cyber incident or disaster.
The team will focus on protecting HHS data, systems, and beneficiaries from cybersecurity threats, a top management challenges identified in OIG’s Top Management and Performance Challenges Facing HHS 2017 report.
“Cybersecurity incidents and breaches pose a significant risk to the confidentiality, integrity, and availability of sensitive data. This could cause a myriad of problems including impeding HHS’s ability to offer essential programs and services, threatening major elements of our country’s critical infrastructure, and placing the health and safety of patients at risk,” the report warned.
“Additionally, data — particularly health care data — are extremely valuable to cyber criminals. Media reports have identified the value of electronic health records (EHRs) to be as much as 10 times that of a credit card number. The threat facing the Department comes not just from individual actors, but also from organized groups representing or acting on behalf of criminal organizations and foreign nation states with sophisticated tools and resources,” it added.
To meet these challenge, HHS needs to take steps to protect HHS data and systems as well as foster a culture of cybersecurity among its partners and stakeholders, the report counseled.
In previous audits, OIG has identified cybersecurity vulnerabilities in HHS systems and state Medicaid systems, such as inadequacies in access controls, patch management, configuration management, data encryption, and website security. These vulnerabilities affect the federal and state governments’ ability to protect PHI and other sensitive information.
“Ensuring the protection of the confidentiality, integrity, and availability of participants’ personal information — and the systems the initiatives rely on — is paramount,” the report stressed.
In addition, OIG advised HHS to foster a cybersecurity best practices culture among its partners and stakeholders. This can be done through policy, such as regulations, contract and grant requirements, financial incentives, or guidance.
For example, FDA has the mandate to promote medical device security, and CMS offers ways for participants in its design and operation programs to improve cybersecurity.
It can also be done through public-private partnerships, such as the Healthcare and Public Health Sector Coordinating Council.
“The Department must determine how best to support partners’ and stakeholders’ efforts to enhance cybersecurity while being mindful of the wide diversity in the infrastructure and resources available to prepare for, detect, and respond to cybersecurity threats,” the report noted.
Going forward, HHS must continue to address cybersecurity vulnerabilities identified by OIG and other agencies and organizations. Across HHS, several key mission areas rely on aging or outdated technology that poses a risk to the privacy and security of the department’s information, it observed.
In updating its technology, HHS align its efforts with priorities defined in legislation and administration policy, such as the Federal Information Technology Acquisition Reform Act, legacy system modernization, and adoption of modern IT management practices, OIG stressed.
HHS should also use available policy levers to address health IT security issues with partners and stakeholders. These issues include the security of networked medical devices and Internet of Things devices that healthcare organizations are increasingly deploying.