HHS falls short on cybersecurity, OIG says
- A 2016 audit by the HHS Office of Inspector General found vulnerabilities in the department’s cybersecurity capabilities.
- During fiscal year 2016, OIG performed network and web application penetration tests at four operating divisions. The results showed the divisions “needed improvement to more effectively detect and prevent certain cyberattacks,” the report says.
- OIG only released a summary of the report to the public. The full report and recommendations on correcting identified vulnerabilities was shared with senior-level HHS IT personnel.
The past year saw a wave of high-profile cyberattacks beginning with the global WannaCry virus in May. The malware froze computer systems in hospitals across the U.K. and was detected in 199,000 incidents in 104 countries.
A second global cyberattack in June unleashed a “wiper” — malware that makes it nearly impossible for victims to recover their data. That particular strain — dubbed NotPetya, ExPetr or Nyetya — was not aimed at making money, but in spreading fast and causing maximizing damage.
In August, cybersecurity sleuths identified a new ransomware strain, Defray, that specifically targets healthcare organizations. The malware penetrated systems via attachments in emails designed to look like they were from a reliable source.
This is not the first time OIG has called out HHS on cybersecurity weaknesses. An audit report, released in August 2016, cited “significant” cybersecurity gaps at 13 data centers operated by the Centers for Medicare & Medicaid Services. OIG urged CMS to address four vulnerabilities tied to improper configurations and failure to complete upgrades, but did not reveal its recommendations in the report.
Yet even as its own cybersecurity protections come up short, HHS has pressed healthcare organizations to plug their vulnerabilities and minimize cyber risks. Last year, the department awarded $350,000 to Ormond Beach, Fla.-based National Health Information Sharing and Analysis Center to help facilities prepare and respond to data breaches.
That initiative came just months after the Office for Civil Rights said its regional offices were stepping up investigations of smaller breaches of personal health information — ones typically involving fewer than 500 individuals.
The heat is likely to stay on HHS to improve its cybersecurity capabilities. The OIG has scheduled another audit of HHS’ incident response capability for 2018.
- Office of Inspector General Summary Report for Fiscal Year 2016 OIG Penetration Testing of Four HHS Operating Division Networks
- FierceHealthcare OIG identifies cybersecurity weaknesses within HHS