Monitoring of Medical Device Security to Be ScrutinizedOIG Also Criticizes Washington State Health Insurance Exchange's Security Measures
A federal watchdog agency has updated its priorities for security-related reviews of Department of Health and Human Services' agencies and programs this year. For example, it now plans to investigate whether monitoring of medical device security controls is adequate.
It also separately issued a review of the Washington state health insurance exchange, citing several security weaknesses, including vulnerability scanning, that could potentially put sensitive data at risk.
Mid-Year Work Plan
Among security-related reviews included in the HHS Office of Inspector General's Fiscal Year 2016 Mid-Year Work Plan is an assessment of the Food and Drug Administration's pre-market review of cybersecurity controls of medical devices that are wireless and internet and network connected. Also included is an examination of breach notification procedures of state Medicaid agencies and their contractors, as well as their responses to breaches of health information.
OIG's medical device initiative appears to be a refinement of OIG's original fiscal 2016 work plan that included plans to examine whether "FDA's oversight of hospitals' networked medical devices is sufficient to effectively protect associated ePHI and ensure beneficiary safety."
Also, OIG removed from its original fiscal year 2016 work plan, which was issued last November, plans to scrutinize HHS' Office for Civil Rights' "oversight of the security of electronic protected health information."
In the past, OIG has criticized OCR for delays in launching a permanent HIPAA compliance audit program - as mandated under the HITECH Act - to assess whether covered entities and business associates are properly safeguarding health information.
In recent months, however, OCR officials have said that work is underway to launch phase two of the HIPAA compliance audit program, which will review covered entities and business associates.
OIG did not immediately respond to Information Security Media Group's request for comment on the revised work plan.
Still On List
While OIG added and revised some of its plans for 2016, still on the its security-related to-do list are:
- Determining the extent to which hospitals comply with contingency planning requirements of HIPAA, and also comparing hospitals' contingency plans with government recommended practices;
- Conducting network and web application penetration testing to determine the network security posture of HHS and its operating units and assess whether these networks and applications are susceptible to hackers;
- Reviewing various HHS operating divisions' compliance with the Federal Information Security Modernization Act of 2014;
- Reviewing independent evaluations of information systems security programs of Medicare Administrative Contractors;
- Determining the adequacy of the Centers for Medicare and Medicaid Services' oversight of states' Medicaid system and information security controls, including the policies, technical assistance and security and operational guidance provided to the states.
Mac McMillan, CEO of security consultancy CynergisTek, says OIG's redefined plan to assess the cybersecurity controls of medical devices is a timely, critical step.
"The medical device situation as it relates to cybersecurity is an embarrassing statement about our ability to protect the safety of the patient or the privacy of their information. There is no other way to put that anymore," he says. "If a credible cyber terrorist threat emerges that is willing to attack people by attacking these [medical] devices, we will be wholly unprepared to defend against it. The government knows this, the providers know this - the only one who doesn't truly appreciate this is the consumer."
McMillan also says OIG's plans to assess hospitals' contingency planning is important in light of recent ransomware attacks on hospitals, including Hollywood Presbyterian Medical Center, McMillan says.
"If the [ransomware] incidents ... taught us anything, it's just how important contingency planning and readiness are. These incidents also showed us just how reliant on technology and information we have become," he says. "Contingency planning needs to address not only how efficiently we recover systems, but how ready is our workforce to function without it and have we really ensured that we have a credible backup of any digitized information when we need it."
Washington State Insurance Exchange
In its review of the Washington state health insurance exchange, OIG says that although it implemented many security controls, "it did not always comply with federal requirements. Specifically, the Washington marketplace had not adequately secured its website and database and had not performed a vulnerability scan in accordance with federal requirements."
In addition, OIG says the Washington marketplace "did not meet some of CMS's minimum requirements for protection of marketplace systems."
OIG notes that although it did not find evidence that the vulnerabilities had been exploited, "exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations."
The report also notes: "In addition, without proper safeguards, systems were not protected from individuals and groups with malicious intent to obtain access in order to commit fraud, waste or abuse or launch attacks against other computer systems and networks."
Keith Fricke, principal consultant at consulting firm tw-Security, says the security weaknesses OIG identified at the Washington health insurance exchange are common to many organizations, including healthcare providers.
"Small to medium-sized organizations often lack the staff to properly secure their websites and back-end databases," he says. "SQL injection attacks have been around for a while, yet despite vendor improvements in database security features, SQL attacks are still prevalent. This is because many organizations still run older versions of web servers and databases, oftentimes without the necessary security patches."
Vulnerability scanning is important, especially for internet-facing systems, Fricke adds. "It helps organizations identify exposed weaknesses that others may discover and exploit. Hackers often achieve unauthorized access to networks by performing the same vulnerability scans and then exploiting those vulnerabilities."
The Washington marketplace concurred with all of OIG's security recommendations and is implementing them.