On December 19, the US Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) released a report indicating continued cybersecurity vulnerabilities among HHS’ four operating divisions based on FY 2016 penetration testing. According to the report, OIG “determined that security controls across the four HHS OPDIVs needed improvement to more effectively detect and prevent certain cyberattacks” and “identified configuration management and access control vulnerabilities.”
OIG provided HHS with a restricted “rollup” report of the four operating divisions, asking HHS to respond to six specific observations. According to OIG, the four participating operating divisions “generally concurred with [OIG’s] summary findings and conveyed that the vulnerabilities identified were corrected or were in the process of being corrected.”
As Foley Hoag attorney Chris Hart told Modern Healthcare, this evidence of flaws in HHS’s internal security is “disconcerting given the fact that HHS has a cyberunit that is intended to help hospitals and healthcare companies with their own cybersecurity systems” in the form of its new Healthcare Cybersecurity and Communications Integration Center.
HHS’s cybersecurity vulnerabilities have also prompted attention on Capitol Hill, with Reps. Billy Long (R-MO) and Doris Matsui (D-CA) co-sponsoring the “HHS Cybersecurity Modernization Act.” This bill, introduced at the end of October, would permit the Secretary of Health and Human Services to designate an information security officer reporting directly to the Secretary or another senior officer. The legislation would also require HHS to prepare and submit to Congress a plan on its role in preparing for and responding to cybersecurity threats within a year after enactment. (A similar bill was introduced in 2016, but that legislation stalled.)