The Department of Health and Human Services’ Office of Inspector General (HHS OIG) is highlighting awareness of the measures it implements to address cyberthreats within the HHS and the healthcare sector as a whole and is implementing measure to raise transparency of its cybersecurity tactics.
Included in these steps is the introduction of a new web page, which outlines the activities that HHS OIG is engaged in to enhance cybersecurity. The new cybersecurity-focused web portal will be constantly updated to list details of the latest cybersecurity activities that have positively affected HHS programs and have helped reinforce the cybersecurity defenses, including reports of its audits, evaluations, and inspections of its offices and agencies that HHS OIG manages.
On the newly-introduced web page, HHS OIG explains that it currently uses a three-pronged method to secure data and the systems on which those data are kept. These are 1. IT security controls 2. Risk management and 3. Resiliency.
IT security controls are technological and procedural controls that safeguard against weaknesses to the confidentiality, integrity, and availability of data and systems. Risk management is proactively searching for and finding risks and threats and taking action to minimize those risks to a reasonable and acceptable level. Resiliency is the development of strategies and procedures for incident response that will ensure data can be recovered swiftly following a cyberattack.
HHS OIG revealed that it has formed multidisciplinary cybersecurity team that implements those three principles in the various offices within the HHS and agencies that it manages. The team includes auditors, investigators, evaluators, attorneys and other industry stakeholders who concentrate on fostering improvements in IT security controls, risk management and resiliency to cyberattacks.
Independent IT and cybersecurity reviews of HHS programs, grantees, and contractors are completed by the OIG Office of Audit Services, Cybersecurity and Information Technology Audit Division. The audits find risks and threats to data to permit action to be taken to stop cyberattacks.
Broad evaluations of HHS cybersecurity-related programs are completed by the Office of Evaluation and Inspections, expert legal support for OIG cybersecurity work is supplied by the HHS OIG Office of Counsel, and criminal investigations into incidents and claims that impact HHS programs are carried out by the HHS OIG Office of Investigations, Computer Crimes Unit, in particular, violations of the Computer Fraud and Abuse Act.
Reports of HHS OIG operations have already been added to the web page dating back to 2016 and, at launch, there are four reports of cybersecurity-related activities from 2018:
- A review of Medicare contractor information security program evaluations
- A review of HHS compliance with FISMA
- A report on an audit of the CMS enrollment system
- A report on a study of the FDA’s review of cybersecurity in premarket submissions for networked medical devices.
HHS OIG summarizes the actions it is implementing to address cybersecurity within HHS and the healthcare sector in this video:
