What's on HHS OIG's Plan for Scrutinizing Security in 2017?Watchdog Agency Spotlights Medical Devices, EHRs and More
A federal watchdog agency has issued its work plan for security-related reviews of Department of Health and Human Services' agencies and programs in 2017. Planned reviews include examinations into how the Food and Drug Administration is handling cybersecurity issues related to networked medical devices, as well as audits of how well various healthcare sector organizations participating in the HITECH Act electronic health record incentive program are protecting EHR data.
As part of the HHS Office of Inspector General's fiscal 2017 work plan, the agency plans to review FDA's activities related to cybersecurity issues discovered "post-market," or in legacy medical devices, as well as prior to new devices being approved to enter the marketplace.
"FDA is responsible for ensuring and monitoring the safety and effectiveness of networked medical devices," according to the OIG work plan. "We will examine the FDA's plans and processes for timely communicating and addressing a networked medical device cybersecurity compromise."
OIG's fiscal 2017 work plan also revises plans the watchdog agency first disclosed in OIG's mid-year 2016 work plan - on how it will scrutinize FDA reviews of cybersecurity controls of networked devices during FDA's premarket review process of those medical devices.
"Effective cybersecurity controls have become increasingly important as more medical devices are wireless, internet, and network-connected," the work plan states.
However, OIG says, "these networked devices are vulnerable to intentional and unintentional cybersecurity threats that may adversely affect the device's functionality and safety."
As part of plans to scrutinize FDA's premarket review of the cybersecurity controls of networked devices - as OIG disclosed in its 2016 mid-year work plan - OIG also plans to review "FDA policies and other documents, and interview FDA staff to examine FDA's approach to reviewing networked medical device cybersecurity in the premarket process."
OIG's heightened scrutiny of FDA's handling of medical device cybersecurity issues comes in the wake of various independent researchers - or "ethical hackers" - increasingly demonstrating how internet-enabled medical devices, ranging from medication infusion pumps to cardiac pacemakers, are vulnerable to remote tampering.
Over the past two years, federal agencies, including the FDA and Department of Homeland Security have issued a handful of alerts related to medical device cybersecurity vulnerabilities discovered by ethical hackers that could potentially pose safety, privacy or security risks to patients.
In response to the growing worries over cybersecurity threats to medical devices, FDA has also been ramping up its efforts to address these concerns. That includes FDA issuing over the last three years various guidance and draft guidance to healthcare organizations and medical device manufactures related to assessing security risks of networked devices, pre-market and post-market.
While FDA has been stepping up its initiatives related to medical device cybersecurity, some security experts praise OIG in scrutinizing those FDA activities.
"I particularly applaud their review of the FDA's premarket review of cybersecurity controls of networked devices and how they intend to address cybersecurity compromises," says Mac McMillan, CEO of security consultancy CynergisTek.
The FDA "welcomes the opportunity to engage with OIG in an effort to further advance our medical device cybersecurity stance as part of the broader healthcare critical infrastructure," an FDA spokeswoman tells Information Security Media Group in a statement. "The FDA's priorities in addressing medical device cybersecurity will continue to focus on encouraging a total product lifecycle approach to managing medical device security risks and on collaborating with all stakeholders, including the cybersecurity research community, manufacturers, government agencies and health care delivery organizations, to collectively address this issue."
OIG also plans to review how well some covered entities, such as hospitals, that have received financial incentive payments under the HITECH Act "meaningful use" program, are protecting health information contained in those EHR systems.
"A core meaningful-use objective for eligible providers and hospitals is to protect electronic health information created or maintained by certified EHR technology by implementing appropriate technical capabilities," the OIG work plan states. "To meet and measure this objective, eligible hospitals must conduct a security risk analysis of certified EHR technology. ... We will perform audits of various covered entities receiving EHR incentive payments [from HHS] to determine whether they adequately protect electronic health information created or maintained by certified EHR technology."
McMillan says OIG's scrutiny of healthcare entities' compliance with HITECH Act requirements for protecting EHR systems is important.
"This is a completely appropriate area for the OIG to audit. Any time the government disperses tax dollars for meeting some regulatory requirement, the American public deserves accountability of how their dollars are used," he says.
In addition to those reviews, OIG says that in 2017 it also plans to:
- Audit HHS application and systems security controls to track prescription drug disbursements to see if they meet federal standards, with a particular review focus on access and physical controls;
- Review HHS' compliance with the Federal Information Security Management Act;
- Conduct penetration testing of HHS and operating division networks;
- Review HHS' charge card program to assess risk for illegal, improper or erroneous purchases;
- Review the National Institute of Health's data controls to ensure the privacy and protection of volunteers participating in the Precision Medicine Initiative.
Precision medicine, which is also sometimes referred to as "personalized medicine," aims to take advantage of advances in medical research, taking into account an individual's health history, genetics, environment and lifestyle to better hone treatment. Provisions supporting the Obama administration's Precision Medicine Initiative are also contained in the 21st Century Cures Act, which was passed by the House on Nov. 30 and is expected to head to the Senate for discussion this week.
Going forward, OIG says its planning efforts will consider the significant challenges that exist with respect to health IT adoption; meaningful use; and interoperability across providers, across HHS, and between providers and patients. "OIG expects to broaden its portfolio regarding information privacy and security, including issues that arise from the continuing expansion of the internet of things," the work plan also notes.
As for how OIG's 2017 work plan could change under the incoming Trump administration, McMillan says there will likely be little or no immediate impact. "Change in the government is usually like turning an aircraft carrier," he says. "The captain may give the order to turn the ship, but it will be five miles before she comes around."