Health IT Security
Jarvis Rodgers, the HHS-OIG IT Audit Director, is interviewed by Sheila Davis, a public affairs specialist in Washington, DC.
SHEILA DAVIS (SD): Almost 100 million healthcare records were compromised according to a report by IBM. That means medical records were the number one target of hackers. Cybersecurity is in the news, and on the minds of most Americans. I'm Sheila Davis, and welcome to the HHS-OIG's podcast.
(Music crescendos and fades)
OIG is on the forefront of healthcare related cybersecurity work. Joining me today is Jarvis Rodgers, the IT Audit Director for OIG. Jarvis, can you start by telling us what you hope to accomplish when you do an IT audit?
JARVIS RODGERS (JD): Well, when we do an IT audit, we have an audit objective, and our audit objective vary, so what we're trying to accomplish will also vary. Ultimately what we'd like to do is to enhance awareness around cybersecurity issues, and we want to see increased cybersecurity. In order to accomplish this we typically write our reports to senior level personnel - that could be the head of HHS Operating Division, Chief Executive Officer for a hospital, a Chief Information Officer, or even state administrators for Medicare and Medicaid.
SD: What are some major IT threats people should know about, and why should the American public be concerned with health IT vulnerabilities?
JD: Health IT offers some unique challenges, in that your health records are with you forever. Whereas credit cards may have a shelf life, if they're compromised, of just a day or two, health records tend to last a lifetime. In addition, health records can fetch sometimes, 60 times more than what a stolen credit card can yield on the dark web. So I think it's important for folks to really protect their health information, to be aware of who has their health information, and recognize that, if your health information is compromised it could also result in things like someone filing a false tax return on your behalf. So health information has a lot of value, and I think it should be protected as such.
SD: What are some of OIG's top priorities with IT audits? Is there a hot trend or concern you're looking into?
JD: Well it's difficult to hone in on one or two top priorities because we're doing so many great things. I'm really proud and honored to talk about our great portfolio of work. We here at HHS-OIG have A-class team, and we get tremendous support from our senior leaders who recognize the importance of cybersecurity. We're also looking at IT security at NIH and the All of Us Initiative, we're also looking at IT controls for the Medicare enrollment database, and finally the work I'm most passionate about is we're assessing IT controls at numerous Indian health hospitals throughout the country.
SD: So you all are really responsible for the security of a lot of important information within HHS systems. I mean these are very large programs with millions of people's data.
SD: That, in a way you all are really trying to protect.
JD: Yes, and in addition to people's personal information, I mean, HHS also has proprietary information. FDA has a lot of information on drugs and medical devices, so the scope of data that HHS has is really vast and offers some unique challenges.
SD: What is penetration testing, and how is it helping to strengthen IT vulnerabilities?
JD: So penetration testing is another area that we're extremely proud of. What we're able to do is that we're able to provide chief information officers, and sometimes chief financial officers, with information where we have exploited a particular vulnerability, and we've actually been able to get into a network.
SD: So you all, you all have people working in behalf of the OIG to actually try and find those vulnerabilities, and essentially, hack into those systems.
JD: We hack in a friendly way, but yes, that is true. So some of the things we do is we may look for when some systems come out of the box they have default usernames and passwords. We'll see if the agency has in fact changed the default username and password. So, that's just an example of some of the vulnerabilities that we'll test for when we're doing penetration testing.
SD: Can you talk about how these audits help the organization, or company, that you're auditing and ultimately how does it help the American public?
JD: We believe what gets checked gets done. Our oversight role within HHS is vast and complex. Ultimately what we're trying to do is we're trying to improve cultures, and we're trying to raise cybersecurity awareness. We want to provide transparent and objective assessments of the security posture of the systems within HHS and those that receive funding from HHS. We want to ensure that funds for cybersecurity, and ultimate for technology, are being used judiciously, and overall we're working every day to protect the data that the American people have entrusted to us.
(Music fades in)
SD: Jarvis is the IT Audit Director for OIG. Thanks for taking the time to talk to us about OIG's health IT work.
JD: Thank you.
SD: I'm Sheila Davis, and thanks for listening.
(Music crescendos and fades)