OIG Calls for Greater Oversight of the Cybersecurity of the Organ Procurement and Transplantation Network
The HHS’ Office of Inspector General (OIG) has called for the Health Resources and Services Administration (HRSA) to improve oversight of the cybersecurity of the Organ Procurement and Transplantation Network (OPTN).
The OPTN is a national system for allocating and distributing donor organs to individuals in need of organ transplants. The OPTN is a public-private partnership that links all professionals that are involved in the donation and transplantation system which is administered by the United Network for Organ Sharing (UNOS). UNOS is a nonprofit that is responsible for managing systems that contain the personal and medical information of organ donors, candidates for transplants, and transplant recipients.
The IT systems supporting the OPTN ensure the rapid matching of donated organs with patients awaiting organ donation. There is a very short window of opportunity for providing donated organizations to recipients, which can be just a matter of hours or days. The IT systems that support the OPTN are essential for ensuring that process is efficient, and require the confidentiality, integrity, and availability of data to be maintained at all times. The Department of Health and Human Services has designated the OPTN a High-Value Asset.
If hackers were to breach the OPTN systems, they could be disrupted which could prevent organs from being matched, which could be a life and death matter. The OPTN has been criticized for the outdated IT systems that are in use and the lack of technical capabilities to upgrade those IT systems and make them secure and fit for purpose. While UNOS maintains that security controls are in place to ensure the confidentiality, integrity, and availability of data in IT systems, there is concern that vulnerabilities may exist that could be exploited by malicious actors.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
Prior to 2018, the OPTN contract did not include any cybersecurity requirements and standards because the HRSA did not feel it could compel compliance, and prior to 2018, the HRSA only conducted limited oversight of OPTN cybersecurity. The HRSA modified the contract with UNOS in 2018 to require FISMA and NIST cybersecurity guidelines to be followed, and oversight of the OPTN was increased, including ensuring there was appropriate monitoring of compliance with FISMA and NIST standards.
OIG conducted an audit to determine whether the HRSA had implemented appropriate cybersecurity controls for the OPTN in line with Federal requirements to ensure the confidentiality, integrity, and availability of donation and transplantation data, and to assess whether there was adequate oversight of UNOS’s implementation of cybersecurity. The OIG review did not include any technical testing, although there were reviews of selected general IT controls to determine if they had been implemented in line with Federal requirements, including the system security plan, risk assessment, access controls, configuration management, system monitoring, flaw remediation, and vulnerability assessments. Reviews were also conducted on two penetration tests of the OPTN.
OIG determined that most of the IT controls had been implemented in accordance with Federal requirements but identified several areas were identified where HRSA could improve oversight of UNOS. OIG found that HRSA lacked adequate oversight procedures for UNOS to ensure that all Federal cybersecurity requirements were being met in a timely and effective manner. For instance, despite NIST giving policy and procedure controls for each security control family the highest priority code, several of UNOS’s policies and procedures either did not exist or were in draft form. Access controls and risk assessment policies and procedures were still in draft form and system monitoring policies and procedures did not exist. There was also a high risk that local site administrators would not deactivate local site user accounts in a timely manner, and were that to happen, it may go undetected by UNOS for up to a year until the next annual user account audit was conducted.
“Without finalized, written policies and procedures, there is a high risk that UNOS staff may not fully understand or perform as intended their roles and responsibilities as they pertain to certain cybersecurity controls, or that the OPTN will not comply with NIST controls as required by the FISMA,” said OIG in the report. “A lack of finalized, written policies and procedures could result in essential cybersecurity controls not being implemented properly or at all.”
OIG has recommended HRSA improve its oversight to ensure that the OPTN contractor is complying with all Federal cybersecurity requirements and does so in a timely manner. HRSA said it had ensured that most of the cybersecurity controls assessed by OIG had been implemented by UNOS, and that it has taken actions to strengthen oversight and controls, including appointing an OPTN Information System Security Officer to oversee the contractor’s cybersecurity efforts. Action has also been taken to finalize all policies and procedures in draft form, POAMs have been created to ensure the timely disabling and removal of inactive user accounts, and HRSA has ensured UNOS has implemented 2-factor authentication for all users.