HHS OIG Launches Cybersecurity Web PageSite Highlights Watchdog Agency's Cyber Activities
The Department of Health and Human Services' Office of Inspector General has launched a new web page to draw attention to the growing importance of the watchdog agency's cybersecurity-related activities - ranging from security audits to fraud investigations.
See Also: A Toolkit for CISOs
"OIG recognizes protecting HHS data, systems and beneficiaries from cybersecurity threats as a top management and performance challenge facing HHS," the agency said in a statement on Tuesday announcing the launch of the new web page.
"In partnering with various HHS agencies to address this challenge, OIG has formed a multidisciplinary cybersecurity team comprised of auditors, evaluators, investigators and attorneys focused on combatting cybersecurity threats within HHS and the healthcare industry."
OIG is raising the profile of its cybersecurity efforts for many of the same reasons other organizations are intensifying their cyber focus, says Mac McMillan, CEO of the security consultancy CynergisTek. "The threat has become more dangerous and more pervasive. It puts service at risk. Privacy isn't the only thing at risk anymore. And these incidents are costing the U.S. and businesses significant losses of money."
Although the HHS OIG cybersecurity team is not new, "we're trying to bring more awareness of the area of work that we do," an HHS OIG spokesman tells Information Security Media Group.
The web page is now a central place where the public can review the various cybersecurity reports issued by HHS OIG, he notes.
Those reports includes cybersecurity and IT audits of HHS programs, grantees and contractors that are conducted by OIG's cybersecurity and IT audit division, as well as reviews by OIG's office of evaluation and inspections, which conducts "broad evaluations of HHS cybersecurity-related programs," OIG says in a statement.
In the past, "a lot of our cybersecurity reports were non-public," the OIG spokesman tells ISMG. "We are trying to make this work more public, so that people know what's going on with our cyber related efforts. We are spending more resources on cybersecurity - it's becoming a bigger topic for Congress, which is also focusing more attention on cyber, electronic health records and other related issues."
While the HHS OIG spokesman declined to define the additional resources being dedicated by HHS OIG to cybersecurity-related audits and investigations, he noted a statistic posted on the agency's new web page: HHS spends more than $11 billion annually on IT "and tens of millions of cyberattacks" threaten this investment daily.
Setting an Example
CynegisTek's McMillan says HHS is "trying to set the example by showing they recognize the importance and responsibility to go through periodic audits and assessments to understand their security posture."
The consultant notes: "There is no such thing as 100 percent security, and organizations should be diligent in continuously looking for weaknesses in their controls. Organizations should not focus so much on their grade as finding and fixing their vulnerability."
OIG is spotlighting "that there should be transparency for those managing the data of others," he adds.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes that cybersecurity is a critical issue for HHS OIG because of the evolving threats HHS and its agencies are facing.
"While HHS, through its Office for Civil Rights, regulates information security of others, HHS itself is also a huge potential target for cybersecurity threats," Greene says. Incidents such as the Office of Personnel Management breach raised concerns about risks to HHS systems and websites, including Healthcare.gov, he notes.
"This web page seems focused on highlighting that HHS OIG is appropriately focused on safeguarding information within HHS' own systems," Greene says.
Privacy attorney Stephen Wu of the Silicon Valley Law Group offers a similar perspective.
"What I think is going on is that the government is placing a higher priority on cybersecurity as awareness continues to increase concerning threats to public and private sector systems," he notes. "I believe HHS is starting to improve security starting with systems within its direct control - systems within HHS and systems supporting HHS programs, grantees and contractors."
But Wu speculates that other influences also might be in play.
"The effectiveness of the EU's General Data Protection Regulation and California's Consumer Privacy Act prompted more attention within the administration, leading to a greater emphasis on cybersecurity and even exploring the possibility of federal data protection legislation through the Department of Commerce," he says. "Perhaps, this general increased awareness of threats and the need for greater support within the government has prompted HHS' initiative."
The new web page shows that so far in 2018, HHS OIG has issued at least four cybersecurity-related reports.
Those include a review of information security programs of Medicare contractors, a review of HHS' compliance with the Federal Information Security Modernization Act of 2014, a report spotlighting the need for the Centers of Medicare and Medicaid Services to enhance the resiliency of its systems, and a report urging the Food and Drug Administration to "further integrate" cybersecurity reviews in its pre-market review processes for medical devices.
When it comes to issues involving cybersecurity of electronic health records, OIG has conducted a number of reviews and investigations, including evaluations of healthcare entities and certified EHR vendors participating in the HITECH meaningful use financial incentive program for EHRs.
Among HHS OIG's previous reviews related to EHRs was an assessment in 2016 that HHS had still not developed a plan for curbing billing fraud enabled by the cut-and-paste function in EHRs, as was recommended in an earlier OIG report issued in 2013.
Other EHR related reports by HHS OIG include a 2016 review of hospital contingency plans for EHRs in case their systems are impacted by cyberattacks and technical malfunctions, as well as other major disruptions, such as natural disasters.