The IHS Telehealth System Was Deployed Without Some Required Cybersecurity Controls
Why OIG Did This Audit
In response to the COVID-19 pandemic, health care providers increasingly deliver care using telehealth technologies. These technologies improve access to care, increase patient convenience, and increase service-delivery efficiency.
Our objective was to determine whether the Indian Health Service (IHS) implemented select cybersecurity controls to protect its telehealth system.
How OIG Did This Audit
We reviewed applicable IHS and HHS policies and procedures for telehealth technologies, interviewed staff, and reviewed system security documentation to determine whether IHS telehealth technologies was secure. We focused on determining whether IHS designed and implemented cybersecurity controls that are essential to securing IHS telehealth systems components before deployment.
What OIG Found
Although IHS deployed a national telehealth system, which increased the availability of health care services during the pandemic, it did not complete select IT controls as required prior to deploying its telehealth system nationally. Specifically, IHS did not complete the contingency plan, risk assessment, finalized authorization to operate (ATO), and system security plan. Additionally, after deployment of the telehealth system, IHS did not remediate known vulnerabilities on some telehealth system devices in a timely manner.
What OIG Recommends and IHS Response
We recommend that the Indian Health Service develop a strategy for identifying, implementing, and testing cybersecurity controls for new information systems that are deployed in an expedited fashion to meet an urgent, mission-critical need. The strategy should define the minimum set of critical controls that must be implemented and tested before the system is deployed, noting the acceptance of risk for not implementing all required controls and stipulate that the full ATO process will be completed within a specific time period. We also recommend that the Indian Health Service ensure that adequate policies, procedures, and training are implemented to ensure that known telehealth vulnerabilities are remediated in a timely manner.
IHS concurred with our recommendations and will develop guidance for inclusion in the IHS Indian Health Manual for expeditiously deploying a new information system for use during emergencies when it is necessary to meet an urgent, mission-critical need. In addition, IHS will review related policies, procedures, and training to ensure they are adequate to address all known system vulnerabilities by December 31, 2022.
Filed under: Indian Health Service