Healthcare data can be up to 10 times more valuable to cyber criminals than credit card numbers, according to a report from the Department of Health & Human Services’ (HHS) Office of the Inspector General (OIG). And, with healthcare-focused ransomware attacks like WannaCry and NotPetya in the news more frequently, it’s no wonder that HHS OIG has identified cybersecurity threats as a top management challenge for 2018. “Cybersecurity incidents and breaches pose a significant risk to the confidentiality, integrity, and availability of sensitive data. This could cause a myriad of problems, including placing the health and safety of patients at risk,” OIG’s Top Management and Performance Challenges Facing HHS report warned. HHS wants stakeholders to understand the importance of protecting healthcare data and to focus on initiatives that eradicate inadequacies found in access controls, patch management, configuration management, data encryption, and website security. See OCR’s October 2018 Cybersecurity Newsletter.

To meet these challenges, HHS OIG has undertaken new projects that aim to foster a culture of cybersecurity awareness among its partners. For example, HHS OIG recently launched a webpage that details some of the actions that have been, and will be, taken to improve cybersecurity within HHS. The webpage will be regularly updated to include information regarding the cybersecurity activities that have positively affected HHS programs and helped strengthen its cybersecurity defenses, including reports of its audits, evaluations, and inspections of HHS offices and agencies. In the past, most of these cybersecurity reports were non-public. A recent statistic shows that HHS spends more than $11 billion annually on IT and that “tens of millions of cyberattacks” threaten its investment daily. In building this site, HHS OIG wants the industry to recognize how it is deploying those resources and is leading by example to encourage the improvement of cybersecurity best practices among organizations operating in and around the healthcare sector.

On the webpage, HHS OIG explains that it currently uses a three-pronged approach to safeguard data and the systems on which its data is stored: IT security controls, risk management, and resiliency. According to HHS OIG, IT security controls are technological and procedural controls that protect against vulnerabilities to the confidentiality, integrity, and availability of data and systems. Risk management is proactively identifying risks and threats and taking action to reduce those risks to a reasonable and acceptable level. And, lastly, resiliency is defined as the development of policies and procedures for incident response that will ensure it is possible to recover quickly from a cyberattack. In other words, HHS recommends that healthcare entities adopt a protectionist view of cybersecurity, which includes the proactive identification and remediation of any system vulnerabilities.

As part of this initiative, HHS OIG also formed a multidisciplinary cybersecurity team that applies the three principles outlined above to HHS offices and the agencies it oversees. The team is composed of auditors, evaluators, investigators, attorneys and other industry stakeholders who are focused on fostering enhancements to governmental cybersecurity practices. Specifically, the team includes representatives from the following HHS agencies:

  • Office of Audit Services, Cybersecurity and Information Technology Audit Division. This Office will carry out independent cybersecurity and IT audits of HHS programs, grantees, and contractors to identify risks and threats to data that require remediation.
  • Office of Evaluation and Inspection. This Office is responsible for conducting broad evaluations of HHS cybersecurity-related programs.
  • Office of Investigations, Computer Crimes Unit. This Unit will conduct criminal investigations into allegations and incidents that affect HHS program and operations.
  • Office of Counsel. This Office provides legal support for all OIG cybersecurity work.

The cybersecurity team aims to positively impact the cybersecurity culture within HHS by identifying and making actionable recommendations to address cybersecurity vulnerabilities and threats. As Jarvis Rodger, the director of the Cybersecurity and IT Audit Division, said in a recent email, “We know that poorly designed webpages, phone applications and [internet of things] devices can lead to a wealth of vulnerabilities that are costly to repair and can last throughout the life of the system…. Overall, we want to maintain our focus on identifying real-world and actionable vulnerabilities.”

So far in 2018, the team has issued at least four cybersecurity-related reports. Those include a review of information security programs of Medicare contractors, a review of HHS’ compliance with the Federal Information Security Modernization Act of 2014, a report spotlighting the need for the Centers for Medicare & Medicaid Services to enhance the resiliency of its systems, and a report urging the Food and Drug Administration to “further investigate” cybersecurity reviews in its pre-market approval process for medical devices.

Going forward, it remains to be seen whether HHS will use certain policy levers, such as regulations, contracts or grant requirements, to push its cybersecurity agenda.  If we take the OIG’s recent commentary on the FDA’s lack of medical device security as an indication of HHS’ trajectory, healthcare organizations should expect to intensify their cyber focus in the coming months for fear that they will be the next OIG target, or worse, victim of a cyberattack.