The Department of Health and Human Services’ Office of Inspector General (HHS OIG) would like the HHS and the healthcare sector to have increased awareness of its work to combat cyberthreats. It is trying to increase the transparency of the department with regards to its activities for enforcing cybersecurity.
One project is the new web page HHS OIG created explaining the activities it is doing to boost cybersecurity. The new web page focused on cybersecurity will be regularly updated to include cybersecurity activities that have positive effects on HHS programs and have helped to reinforce the cybersecurity defenses, such as reports of its audits, evaluations, and inspections of agencies and offices supervised by HHS OIG.
On the new web page, HHS OIG clarifies that it currently utilizes a three-pronged strategy to protect data and the systems on which those information are kept. They are IT security controls, resiliency and risk management.
IT security controls are technological and procedural settings that protect the confidentiality, integrity, and availability of data and networks against vulnerabilities. Risk management is proactively determining risks and hazards and taking steps to minimize those dangers to an acceptable and reasonable level. Resiliency is the creation of policies and procedures in response to incidents to ensure the quick recovery from a cyberattack.
HHS OIG mentioned the formation of a multidisciplinary cybersecurity team that implements those three principles to the different offices it supervises within the HHS and institutions. The team comprises auditors, investigators, evaluators, lawyers and other industry stakeholders who work on promoting improvements in IT security controls, resiliency to cyberattacks and risk management.
Indie IT and cybersecurity audits of HHS programs, grantees, and contractors are performed by the OIG Office of Audit Services, Cybersecurity and Information Technology Audit Division. The audits look for risks and hazards to data in order that action can be taken to avoid cyberattacks.
The Office of Evaluation and Inspections carry out extensive assessments of HHS cybersecurity-focused programs. Professional legal support for OIG cybersecurity function is given by the HHS OIG Office of Counsel. Criminal investigations of incidents and charges that impact HHS programs are performed by the HHS OIG Office of Investigations, Computer Crimes Unit, particularly, violations of the Computer Fraud and Abuse Act.
Reports of HHS OIG activities have already been posted to the web page dating back to 2016. At the launch, four reports of cybersecurity-focused activities from 2018 are available, namely:
- A review of Medicare contractor information security program evaluations
- A report on a study of the FDA’s review of cybersecurity in premarket submissions for networked medical devices
- A report on an audit of the CMS enrollment system
- A review of HHS compliance with FISMA