Some divisions of HHS lack sufficient cybersecurity controls, according to a new report from the Office of Inspector General.
In fiscal 2016, the OIG tested four HHS operating divisions for their cybersecurity resilience, looking at how well the agency could prevent, respond to and detect attacks. The OIG found problems with both the management of the systems and access control.
"It's hard not to think that HHS' internal security is a mess," said Chris Hart, an attorney with Foley Hoag. "It's disconcerting given the fact that HHS has a cyberunit that is intended to help hospitals and healthcare companies with their own cybersecurity systems."
HHS agreed with the OIG's findings—details of which are confidential—and said it had already corrected some of the problems and was working on correcting the others.
"The adage 'physician, heal thyself' seems to work pretty well in this context," Hart said.
In November, the OIG released a report listing the top management and performance challenges HHS faced in 2017. At the end of the list, in 10th place, sat "protecting HHS data, systems, and beneficiaries from cybersecurity threats." Data breaches could jeopardize both patient safety and the national infrastructure, according to the report, which noted that healthcare data are now more valuable than credit card numbers.
"This isn't a story about neglect at HHS," said Bill Fox, global CTO of healthcare, life sciences and insurance at database firm MarkLogic. "It's a story about security issues that plague the entire healthcare ecosystem."
In addition to the broadly stated vulnerabilities mentioned in the most recent report, the OIG in its earlier November report also mentioned problems with data encryption and website security.
What's more, some of HHS' systems are outdated, according to OIG. To meet policy requirements, the department must modernize its legacy systems and manage its IT with modern techniques.
HHS' challenges have not been lost on Congress, either. Reps. Billy Long (R-Mo.) and Doris Matsui (D-Calif.) in November introduced the HHS Cybersecurity Modernization Act. Among other things, it aims to improve coordination between HHS offices. It would also allow the secretary to designate a single point person for department-wide information security.