OIG: HHS Must Do More to Address Cybersecurity ThreatsWatchdog Agency Report Spells Out Action Items
Protecting Department of Health and Human Services' systems, data - and beneficiaries - from evolving cyberthreats is a top challenge for the agency, according to a new report that recommends action items.
In an annual report issued on Nov. 16, the HHS Office of Inspector General identifies securing HHS's data and systems and advancing cybersecurity within the healthcare ecosystem as one of the 12 most significant performance and management challenges facing the agency.
"HHS has large amounts of data that are an attractive target to hackers and limited resources to defend this data."
—Adam Greene, Davis Wright Tremaine
Among the HHS actions the report recommends are:
- Become more proactive in identifying and mitigating vulnerabilities;
- Create a well-designed contingency program as a key feature of cyber defenses;
- Forge additional relationships for the sharing of best practices and cyberthreat information with government and industry partners.
Cybersecurity was spotlighted by HHS OIG as a top HHS challenge because "data management, use and security are essential to the effective and efficient operation across HHS's agencies and programs," the report notes.
"HHS spends more than $5 billion every year on IT - not including grants-related IT expenditures. The environment in which HHS must protect its systems is complex, with ever-increasing volumes of data residing in many places and with many entities and individuals, and with continued expansion of the internet of things, including networked medical devices."
In addition, the report notes, "those possessing health and human services data - including public stakeholders - have cybersecurity responsibilities, which include ensuring effective people, processes and technologies are in place to protect HHS data."
HHS's challenges include protecting data on internal systems, overseeing the cybersecurity of data in cloud environments, and ensuring that providers, grantees and contractors are adhering to sound cybersecurity principles, the report says.
"The HHS OIG is correct that cybersecurity continues to be a top challenge to HHS," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "HHS has large amounts of data that are an attractive target to hackers and limited resources to defend this data."
A recent incident involving Healthcare.gov - in which data on 75,000 individuals was exposed - highlights the continuing challenge that HHS is facing in balancing access and security for large volumes of sensitive information, Greene adds.
The OIG report appears to focus on HHS's role as a principal - not its role in setting guidance for regulated entities under HIPAA or otherwise, says privacy attorney Kirk Nahra of the law firm Wiley Rein. "Nonetheless, because of the critical direct role that HHS plays across the healthcare system - from Medicare and Medicaid, to the National Institutes of Health and medical research, to the Food and Drug Administration activities ... it is good to see that HHS continues to recognize the importance of this [cybersecurity] challenge."
Nahra says he hopes that HHS gets the needed support and resources to effectively address its cyber challenges.
Indeed, the HHS OIG report notes that the cybersecurity threats facing HHS are "real and pressing."
The report states: "Healthcare data is a prime target for cybercriminals, and the value of compromised electronic health records has been reported to be as much as 10 times that of a credit card number. In addition to identity threats, compromising the integrity and availability of HHS systems can adversely affect patient care."
For example, the WannaCry ransomware vulnerability affected an estimated 300,000 computers worldwide and resulted in thousands of surgeries and appointments being canceled unless ransoms of $300 to $600 were paid, the report notes.
"The department has employed measures to notify hospitals about how to mitigate the impact of this vulnerability to the U.S. healthcare system," HHS OIG notes.
The OIG report states that HHS has made some progress in addressing cybersecurity issues related to its data and systems. The agency's fiscal 2017 budget allocated $50 million for cybersecurity to protect sensitive and critical information.
"HHS has implemented continuous monitoring tools to facilitate security compliance and has partnered with a commercial vendor to deploy threat hunting technologies at some HHS agencies," the report notes.
In addition, HHS has instituted security awareness and phishing prevention campaigns throughout the year.
Some units within HHS coordinate with the Department of Homeland Security to conduct cybersecurity testing. "HHS is using a standardized log-analysis platform that will enable HHS and its operating divisions to better perform deep analysis of events and facilitate automation and integration with internal and external data sources and security tools," OIG writes.
In addition, DHS conducts security scans of external-facing HHS systems, the report notes.
The watchdog agency's report also states that HHS is making some progress in helping advance cybersecurity throughout the healthcare ecosystem.
"The department and its public and private partners and stakeholders have taken some steps to address coordination and information sharing concerning cybersecurity threats, but they must continue to work to enhance capabilities," the report notes.
"Healthcare-specific cybersecurity information sharing and analysis reports are available through numerous sources, including FireEye iSight reports, the Health Information Sharing and Analysis Center, the Health Sector Cybersecurity Coordination Center and the Computer Security Information Response Center," the report says.
Some HHS units - including the Food and Drug Administration - have created partnerships with outside information sharing organizations to better coordinate cybersecurity efforts, according to the report (see: FDA Reveals Steps to Bolster Medical Device Cybersecurity).
But HHS needs to make additional improvements, the watchdog agency writes.
To protect its data and systems, HHS must continue to take steps to address vulnerabilities identified by OIG and others in previous assessments, as well as implement additional measures, the report notes.
HHS should have "a well-designed contingency program ... in place not only to respond to natural or man-made disasters but also as a key feature of cyber-defenses," OIG states.
Additionally, HHS must be proactive in identifying vulnerabilities and developing mitigation protocols in a timely manner to combat current and future cybersecurity threats, OIG says.
"HHS should therefore focus on its capabilities to respond efficiently and effectively to a wide range of threats to healthcare and the resilience of its information systems, including its incident response coordination channels and contingency planning."
OIG also recommends that HHS agencies should continually seek opportunities to partner with other government agencies, private industry, academia and state governments to share information on cybersecurity, emerging threats, risks and best practices.
"HHS must continue to engage the healthcare and public health sectors to ensure that cybersecurity threats are properly communicated and that appropriate guidance on foundational cyber hygiene best practices is available," the report states. "Both help protect the sector and, in turn, the HHS environment."
Some security experts suggest HHS should consider taking other steps not highlighted in the report to help improve the cybersecurity posture of the healthcare sector.
"HIPAA needs to be updated to reflect current times," says Keith Fricke, principle consultant at tw-Security.
"The list of terms and technologies missing from the security rule is extensive. Terms such as social media, ransomware, internet of things, and even next-generation firewalls are conspicuously absent - and that is the tip of the iceberg," he says.
Fricke suggests that HHS's Office for Civil Rights reconsider its approach to financial penalties for HIPAA violations.
"What would happen if the OCR fines levied against breached healthcare organizations were put in escrow until the organization demonstrated it addressed weaknesses in its security program and received some of that money back? Hospitals operate on razor-thin budgets."
Many healthcare providers were financially incentivized to adopt EHRs through the HITECH Act's "meaningful use" program, he notes. "Should we be considering a framework to incentivize healthcare organizations to properly invest in cybersecurity practices? The end goal is to improve the security and privacy of patient information; this may be a way to help get us there."
Greene, the attorney, also suggests HHS take additional steps to help smaller healthcare entities bolster their security.
"I would like to see HHS focus on developing a suite of security tools that under-resourced healthcare entities, such as small physician practices, can leverage to protect their data," he says. "It is increasingly unrealistic to expect that small and medium-sized healthcare entities can reasonably defend against cybersecurity threats without more help."