HHS’ OIG report discloses significant challenges to data protection, technology from persistent cybersecurity threats

The U.S. Department of Health and Human Services (HHS), Office of Inspector General (OIG) disclosed in its annual publication that the HHS faces significant challenges to both protect data and technology from persistent cybersecurity threats, while improving how the department and related entities share large amounts of critical data from disparate sources, including public health data, on an unprecedented scale. The OIG report comes as the department continues to improve how it collects, manages, shares, and secures its data, as the HHS is refining its approach to influence and shape how other entities use technology. 

The report recognizes two elements of the challenge. These include expanding and improving HHS’s capacity to collect, use, and exchange data to support evidence-based policymaking, management, and program improvement, while also securing HHS data and systems to positively impact the cybersecurity posture of HHS and the sectors that the HHS influences.

“The importance of managing these challenges is highlighted by critical issues such as addressing inequities across health and human service programs, which often requires foundational improvements to data collection and analysis to better understand the effects on disadvantaged individuals and communities,” the OIG said in the 2022 edition of its annual report on HHS’s top management and performance challenges. “Continued modernization of HHS data and technology capabilities is needed for HHS and its divisions to fulfill their missions, improve situational awareness, and better prepare for future public health threats and emergencies.”

The report identified that continued progress on these challenges must happen as the department continues to respond to multiple, simultaneous emergencies and while the quantity, frequency, and sophistication of cybersecurity risks rapidly increase. 

“As HHS expands its technological capabilities, increases data sharing among HHS programs and the public, and improves data interoperability in the broader healthcare and public health systems, it must take crucial steps to modernize its approach to cybersecurity,” the OIG said in its report. “The importance of improving cybersecurity posture across the Federal Government has been recognized by the President, such as in the May 2021 Executive Order (EO) Improving the Nation’s Cybersecurity, which directed Federal agencies to fundamentally and systemically change their approach to cybersecurity.” 

The OIG report said that, in support, the HHS Office of Information Security is finalizing its Strategic Plan. HHS efforts will require significant investments in resources as well as cultural and organizational change. 

“To operationalize the EO, OMB directed agencies including HHS to meet specific cybersecurity standards and objectives by the end of FY 2024,” the OIG report said. “These include adopting a ‘zero trust’ security architecture approach. This method requires meaningful organizational change in how HHS implements security across its divisions and programs so that the Department protects the enterprise ‘anytime, anywhere’ regardless of where its assets and resources are located.”

Persistent and growing cybersecurity threats exacerbate the challenges facing HHS associated with data and technologies used to carry out the vital health and human service missions of HHS divisions. These threats, if not mitigated, can put critical HHS program operations at risk and potentially impact the health and welfare of individuals served by HHS. It is common practice for adversaries to continuously conduct reconnaissance for discovering new systems under development, often to gain understanding of the underlying technologies, data, and potential vulnerabilities that may be exploited. 

“This challenge is multifaceted and complex because program needs and timeliness often compete with cybersecurity controls and capabilities,” according to the OIG report. “To overcome this challenge, HHS will need to ensure that its divisions and programs establish and use a risk-based approach to rapid system development and deployment. This includes understanding the value of protecting technology and data and the risk presented by cybersecurity threats.”

Although the Department continues to improve its overall cybersecurity posture, OIG and GAO have identified challenges and systemic weaknesses. One persistent challenge is the federated nature of IT and cybersecurity environments across HHS with its vast network of interdependent, increasingly digital health, social, and administrative services. In June, the GAO pressed upon the HHS to establish a feedback mechanism to improve the effectiveness of its breach reporting process. HHS concurred with GAO’s recommendation and described actions it would take to address it.

HHS’s cybersecurity defenses continue to be tested as cyberthreats persist and adversaries continue to increase their levels of sophistication and maliciousness. In 2022, HHS operating division experienced numerous sophisticated phishing and business email compromise attacks on employees. In response, HHS issued an Advisory Notification to mitigate risk for the entire department. The department and the healthcare and public health sectors must maintain vigilance. Future sophisticated and novel methods of social engineering, coupled with technical threats, will present cybersecurity challenges and opportunities for cyberattacks.

In 2021, 45 million people were affected by cyberattacks on healthcare providers and related entities, up from 34 million in 2020. The average total cost of a breach in the healthcare industry increased almost 10 percent from $9.2 million in 2021 to $10.1 million in 2022.

Threat communication has improved through public-private partnerships spearheaded by the HHS Healthcare Cybersecurity and Coordination Center and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency. These partnerships have increased the healthcare sector’s awareness of the impacts ransomware could have on operations, including having to move patients to other facilities, loss of access to electronic health records, potential fraud, and the compromising of electronic health information and other sensitive information. 

“This challenge is widely expected to increase as new technologies are developed and introduced into the market. These technologies include the expansion of telehealth and other remote patient monitoring modalities, AI, precision medicine technologies, and future digital treatments and therapies,” the OIG reported. “In particular, FDA and the healthcare industry must continue to improve cybersecurity for networked medical devices (such as infusion pumps and pacemakers that use internet connectivity). To address cybersecurity threats and reduce patient risks, FDA has issued guidance to help support premarket and postmarket processes related to cybersecurity impacts for devices. Additionally, FDA has sought additional funding and authorities to support its ongoing efforts to help device manufacturers and the ecosystem combat cybersecurity threats.”

OIG also said that the department’s Food and Drug Administration (FDA) agency should continue to take steps to enhance its ability to receive relevant information as well as securely share information with key stakeholders. “HHS may have additional options to assess the cybersecurity of devices once in use by healthcare providers; however, there has been limited progress to assess this issue as part of the existing oversight mechanisms, such as the survey and certification process for medicare-participating hospitals.” 

The department also plays a significant role in ensuring the privacy of individual data such as personal health information, genetic information, and other sensitive data. The HIPAA Privacy Rule’s requirements, established nearly 20 years ago, may not adequately address current issues related to privacy concerns. Patients and providers continue to have questions about how best to protect data while navigating the requirements and constraints of HIPAA. 

The OIG report recognized that the department’s challenge is to be responsive to changes in the healthcare industry, including nontraditional healthcare delivery approaches that may impact patient privacy. Moving in this direction, the Office for Civil Rights has begun data collection to learn from the healthcare community which changes are needed to enable HIPAA to support present-day requirements.

In conclusion, the OIG report said that to run effective and efficient programs, HHS must consider issues and impacts outside a single program or mission for any one of its agencies. Barriers to coordination include navigating various HHS stakeholders with different goals and authorities and varying logistic, economic, and workforce pressures, as well as the scope and complexity of the problems for which HHS needs partnerships to resolve and changing landscape of the health and human services sectors. 

Overcoming these barriers requires HHS to engage in intentional, sustained, and forward-looking efforts toward building strategic partnerships both domestically and internationally, communicating effectively, managing collaborative work, and maintaining accountability, it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.