HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page

The Department of Health and Human Services’ Office of Inspector General (HHS OIG) has recently created a new web page detailing some of the actions that have been taken to improve cybersecurity within the HSS as part of its efforts to improve transparency of its cybersecurity activities.

The new cybersecurity-focused web page will be regularly updated to include details of cybersecurity activities that have positively affected HHS programs and have helped strengthen the cybersecurity defenses, including reports of its audits, evaluations, and inspections of its offices and agencies that HHS OIG oversees.

On the new web page, HHS OIG explains that it currently uses a three-pronged approach to safeguard data and the systems on which those data are stored. They are IT security controls, risk management, and resiliency.

IT security controls are technological and procedural controls that protect against vulnerabilities to the confidentiality, integrity, and availability of data and systems. Risk management is proactively identifying risks and threats and taking action to reduce those risks to a reasonable and acceptable level. Resiliency is the development of policies and procedures for incident response that will ensure it is possible to recover quickly from a cyberattack.

HHS OIG explained it has formed multidisciplinary cybersecurity team that applies those three principles to the various offices within the HHS and agencies that it oversees. The team consists of auditors, investigators, evaluators, attorneys and other industry stakeholders who are focused on fostering enhancements in IT security controls, risk management, and resiliency to cyberattacks.

Independent IT and cybersecurity audits of HHS programs, grantees, and contractors are conducted by the OIG Office of Audit Services, Cybersecurity and Information Technology Audit Division. The audits identify risks and threats to data to allow action to be taken to prevent cyberattacks.

Broad evaluations of HHS cybersecurity-related programs are conducted by the Office of Evaluation and Inspections, expert legal support for OIG cybersecurity work is provided by the HHS OIG Office of Counsel, and criminal investigations into incidents and allegations that affect HHS programs are conducted by the HHS OIG Office of Investigations, Computer Crimes Unit, in particular, violations of the Computer Fraud and Abuse Act.

Reports of HHS OIG activities have already been uploaded to the web page dating back to 2016 and, at launch, there are four reports of cybersecurity-related activities from 2018: A review of Medicare contractor information security program evaluations; A review of HHS compliance with FISMA; A report on an audit of the CMS enrollment system; and a report on a study of the FDA’s review of cybersecurity in premarket submissions for networked medical devices.

HHS OIG summarizes the actions it is taking to address cybersecurity within HHS and the healthcare industry in the video below:

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.