OIG Prioritizes Cybersecurity for HHS Agencies

The Office of Inspector General (OIG) recognizes that the US Department of Health and Human Services (HHS) needs to improve their cybersecurity posture and promote the security and privacy of the healthcare system. The OIG, after partnering with various HHS agencies, has formed a multidisciplinary Cybersecurity Team which will focus on combatting cybersecurity threats within HHS and the healthcare industry.

The 2020 Top Management and Performance Challenges Facing HHS identified that having large amounts of data does not mean that the data can be used efficiently and effectively. Further, HHS faces challenges in how it manages and leverages that data across its programs.

Other challenges that the report identified that prompted the initiation of the Cybersecurity Team include the managing, using, and sharing of data that must be complemented by appropriately securing that data. The external threats to the confidentiality, integrity, and availability of the HHS-held data are persistent and continue to grow.

The newly created Cybersecurity Team will be comprised of auditors, evaluators, investigators, and attorneys who will combat threats by fostering enhancements in IT controls, risk management, and resiliency. The following offices will be part of the multidisciplinary Cybersecurity Team:

    • Office of Audit Services, Cybersecurity, and Information Technology Audit Division: conducts independent cybersecurity and IT audits of HHS programs, grantees, and contractors.
    • Office of Evaluation and Inspections: conducts broad evaluations of HHS cybersecurity related programs.
    • Office of Investigations, Computer Crimes Unit: conducts criminal investigations concerning allegations and incidents that affect HHS programs and operations, primarily involving violations of the Computer Fraud and Abuse Act.
    • Office of Counsel: provides expert legal support for all OIG cybersecurity work.

Protecting data from misuse or unlawful disclosure is essential given HHS’s role in healthcare.

The 2020 Top Management and Performance Challenges Facing HHS full report can be accessed here.

Compliance Perspective

Issue

The healthcare sector is a large target for malicious ransomware attacks due to the confidentiality and critical nature of its data. All nursing facilities must be proactive in preventing data breaches which are reportable in terms of the Health Insurance Portability and Accountability Act (HIPAA). Nursing facility leaders and the Privacy Officer must collaborate with their IT department to ensure that the sensitive data that is housed within their computer systems is protected. All staff who have access to the facility’s computer network should be trained on best practices in preventing data breaches, and what they must do to assist in the prevention of these breaches. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6 Data Integrity.

Discussion Points

    • Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices in preventing data breaches.
    • Train all appropriate staff on best practices to prevent data breaches. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
    • Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing data breaches.

FOR MORE INFORMATION ON THIS TOPIC VIEW: UNDERSTANDING AND PREVENTING RANSOMWARE, APTS, AND ZERO DAY EXPLOIT ATTACKS.

You May Also Like