OIG: HHS Must Modernize Its Approach to Cybersecurity

November 21, 2022 - In the 2022 edition of its annual report on HHS’s top management and performance challenges, the Office of Inspector General (OIG) called on HHS to improve data governance, secure HHS systems, and modernize its approach to cybersecurity across the department.

“Persistent and growing cybersecurity threats exacerbate the challenges facing HHS associated with data and technologies used to carry out the vital health and human service missions of HHS divisions,” the report noted.

“These threats, if not mitigated, can put critical HHS program operations at risk and potentially impact the health and welfare of individuals served by HHS.”

The report shed light on the numerous challenges that HHS faces as it works fulfill its mission to “enhance the health and well-being of all Americans” while combatting daily cyber threats.

First, OIG noted that HHS “continues to improve how it collects, manages, shares, and secures its data.”

For example, the department is currently finalizing its HHS Data Strategy, which will ideally help the department address data sharing, privacy, governance, and security challenges.

“Hurdles HHS must overcome include the continued effect of data silos and legacy technology that do not easily support modern data governance and standardization,” the report noted, pointing to inconsistencies with how HHS leverages and manages data across its programs.

“Eliminating or reducing data silos within the Department and within HHS programs, ensuring that standardized data sets are developed, and increasing appropriate access across programs are essential to improving program management, evidence-based decision making, and benefiting from new technologies,” the report continued.

In addition to improving data governance and standardization, OIG highlighted the need to remove barriers to accessing public health data and encourage data sharing among providers, patients, and payers.

Additionally, OIG stressed the importance of improving HHS’s own security posture, as highlighted by President Biden’s May 2021 executive order on improving the entire federal government’s security practices.

In support of the executive order, the HHS Office of Information Security is currently finalizing its Strategic Plan, which will require significant organizational changes.

OIG described the challenge of securing HHS data as “multifaceted and complex because program needs and timeliness often compete with cybersecurity controls and capabilities.”

OIG emphasized the need for a risk-based approach in order to match the time-sensitive nature of cyber threats.

The federated nature of cybersecurity environments across the department also presents unique challenges, OIG suggested. HHS must tackle the complex challenge of ensuring that grant recipients and other partners have appropriate data protections in place across all HHS programs.

“The challenges posed by HHS’s federated nature are exacerbated by the complexity of ensuring that thousands of HHS contractors, grantees, and other partners have appropriate cybersecurity capabilities and implement the best-of-breed security solutions,” the report acknowledged.

However, the scope and volume of these programs make a consistent approach to tackling cyber risk difficult. OIG again suggested that a risk-based approach that can be implemented across functions is crucial to success in this area.

Lastly, OIG noted the importance of maintaining vigilance as adversaries continue to pivot their tactics and find new ways to target sensitive data. While key public-private partnerships across the health sector have greatly improved awareness of cyber threats across the sector, there is still work to be done.

As new technologies continue to revolutionize care delivery, cyber threats are keeping pace. HHS must continue adjusting its approaches to cybersecurity and data privacy in order to match current threats and fulfill its mission.