COVID-19 , Governance & Risk Management , IT Risk Management

HHS's COVID-19 Response, Recovery Efforts to Be Scrutinized

OIG Spells Out Plans for Monitoring Security, Privacy Efforts
HHS's COVID-19 Response, Recovery Efforts to Be Scrutinized

A federal watchdog agency has established key goals and objectives – including protecting the security of IT infrastructure as well as combating fraud - that drive its oversight of the Department of Health and Human Services’ COVID-19 response and recovery activities.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The HHS Office of Inspector General on Monday released a strategic plan for its oversight of HHS COVID-19 response and recovery “to promote the economy, efficiency, effectiveness and integrity of HHS programs, as well as the health and welfare of the people they serve.”

The watchdog agency notes that the emergence of COVID-19 “has created unprecedented challenges for HHS and for the delivery of healthcare and human services to the American people.”

Four Goals

OIG says its plan sets forth four goals that drive its strategic planning and mission execution with respect to HHS’s COVID-19 response and recovery:

  • Protect infrastructure, including the security of HHS information technology and the personal information and data collected and maintained;
  • Protect people, including providing oversight and support to help combat fraud and identity theft schemes that endanger individuals;
  • Protect funds, including conducting audits and evaluations of HHS’s oversight, management and internal controls for disbursement and use of $251 billion in funding that was appropriated to HHS for COVID-19 response and recovery;
  • Promote effectiveness of HHS programs, including identifying successful practices and lessons learned from the COVID-19 response at the federal, state and local levels, and make recommendations to strengthen future emergency preparedness and response.

OIG will assess HHS’s efforts to expand use of telehealth during the COVID-19 outbreak and its implications for future Medicare policies, the agency notes.

Protecting IT Infrastructure

The urgency of protecting HHS's IT infrastructure “is heightened as cyberattacks against HHS, healthcare institutions and researchers have increased since the COVID-19 pandemic started,” OIG notes, pointing to the potential theft of research and intellectual property.

“The technologies that are being employed in COVID-19 response may be subject to cyberattacks,” OIG says. “OIG conducts cybersecurity audits, makes recommendations to strengthen cybersecurity and investigates cybersecurity attacks against HHS.”

”If telehealth services will be a key component in healthcare service delivery, we need to measure the risk posed through use of technologies when the privacy and security safeguards are largely left unregulated.”
—David Holtzman, CynergisTek

Authorities in the U.S. and U.K. have issued alerts in recent weeks warning of hackers targeting research facilities and healthcare organizations that are conducting vaccines trials and testing treatments for COVID-19 (see Lawmakers Demand Details on Fighting China-Linked Hacking).

Audit Plans

To help protect the security and integrity of HHS’s information systems, OIG will:

  • Audit HHS capabilities for detecting IT vulnerabilities and incidents, mitigating threats and restoring IT services;
  • Audit whether known cybersecurity vulnerabilities related to networked medical devices, telehealth platforms and other technologies being used in COVID-19 response have been mitigated;
  • Investigate cybersecurity threats to, and attacks on, HHS systems;
  • Provide technical assistance to HHS to support a secure and robust IT infrastructure.

Important Steps

”There is a general sense in the cybersecurity community that we can expect an increase in cyberattacks during this overall situation, so I think it makes sense [for HHS OIG] to focus on these issues,” says privacy attorney Kirk Nahra of the law firm WilmerHale.

“We have been seeing risks because of overall work-from-home issues, increased phishing scams and new issues related to things like telehealth and certain patient access issues, where security controls have been intentionally weakened to facilitate other goals,” he says.

While the surge in remote work and telehealth make sense during the pandemic, the government and the public must think carefully about the potential consequential risks, he adds.

OIG's oversight actions are important “because prior audits have found that HHS and its federated agencies lack vital information security policies, procedures and plans to detect, defend and recover from cybersecurity incidents,” says privacy attorney David Holtzman of the security consultancy CynergisTek.

For instance, last month, the Government Accountability Office reported that HHS had failed to address a number of recommendations from its 2019 audit that uncovered critical vulnerabilities, including the lack of a comprehensive cybersecurity risk management strategy and a process for conducting an organizationwide cybersecurity assessment.

Meanwhile, the unprecedented expansion of telehealth to provide healthcare treatment services during the COVID-19 pandemic requires a careful examination of the cybersecurity threats this potentially introduces, Holtzman adds.

”HHS Office for Civil Rights’ relaxation of enforcement on requirements that are resulting in the use of video conferencing and instant messaging technology that does not meet the requirements of the HIPAA Security Rule needs to be assessed for its impact,” he says.

”If telehealth services will be a key component in healthcare service delivery, we need to measure the risk posed through use of technologies when the privacy and security safeguards are largely left unregulated.”

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.