OIG Reports on Top Management and Performance Challenges of HHS

The Department of Health and Human Services’ Office of Inspector General (OIG) has released its yearly report on the Top Management and Performance Challenges for the HHS.

In the report, OIG listed the 12 leading challenges that need to be overcome to make sure the department accomplishes its goals. Considering the enormity of the present opioid crisis in the U.S., the challenge of preventing and treating opioid misuse was on top this year’s list.

The report additionally gives importance to cybersecurity protections for mitigating threats to the confidentiality and integrity of health information. The security of HHS data, programs and beneficiaries from cybersecurity risks was placed in 10th position on this year’s list.

OIG explained the importance of data management, usage, and security to the efficient functioning of HHS’ agencies. Making sure IT systems are secure and healthcare data are protected are critical to ensure the health and safety of Americans.

The annual budget of HHS for IT is $5 billion. A portion of the budget is spent on cybersecurity protections for its data and IT systems. The HHS encounters big challenges protecting its highly complex systems and needs to store increasing volumes of sensitive data that are distributed across several locations and are accessed by many entities and individuals. Also, in recent years, the use of IoT technology and networked devices has increased and has introduced new risks. The HHS is required to ensure its internal systems are protected, that cloud data security is managed, and providers, contractors, and grantees are adopting cybersecurity best practices.

The types of information that HHS uses, stores and transmits are highly valuable to cybercriminals. Health data is ten times more valuable than credit card numbers. Therefore, the HHS is a primary target of hackers.

Failure to secure HHS data and systems will not just result in harm to patients, it could impede Federal initiatives like the NIH ‘All of Us’ Research program, preventing those initiatives from achieving their full potential.

OIG reports that the HHS does not have sufficient resources to prepare staff to respond to cyberattacks. HHS incident response and recovery procedures have not been completely tested, although cybersecurity has been improved over the past 12 months. $50 million was devoted to cybersecurity in 2017, which was used to better protect sensitive information, pay for tracking tools for security compliance, and to implement threat hunting technologies at some agencies. The HHS is now also providing enhanced cybersecurity awareness training for employees in all agencies.

Cybersecurity testing is performed with the Department of Homeland Security, and there is ongoing discussion regarding cybersecurity and operational issues encountered by the department across all HHS agencies.

There’s been significant progress but a lot of work still needs to be done. OIG explained that HHS needs to develop a well-designed contingency plan for cyber-defenses, besides those for natural disasters. HHS must also be more proactive and needs to address current and future vulnerabilities before attackers exploit them. HHS must also focus on its ability to respond effectively to a broad range of cybersecurity threats.

OIG said the HHS must also help healthcare organizations deal with cyber threats, which is best accomplished by means of information sharing. Distribution of data about threats and strategies to mitigate them should increase. The HHS should also look for ways to work together with other government agencies, private sector organizations, academia, and federal governments to share information on cybersecurity risks, threats, and issue recommendations.