OIG recognizes Protecting HHS Data, Systems, and Beneficiaries from Cybersecurity Threats as a top management and performance challenge facing HHS. In partnering with various HHS agencies to address this challenge, OIG has formed a multidisciplinary Cybersecurity Team comprised of auditors, evaluators, investigators and attorneys focused on combatting cybersecurity threats within HHS and the healthcare industry.
- Office of Audit Services, Cybersecurity and Information Technology Audit Division: conducts independent cybersecurity and IT audits of HHS programs, grantees and contractors.
- Office of Evaluation and Inspections: conducts broad evaluations of HHS cybersecurity-related programs.
- Office of Investigations, Computer Crimes Unit: conducts criminal investigations concerning allegations and incidents that affect HHS programs and operations, primarily involving violations of the Computer Fraud & Abuse Act.
- Office of Counsel: provides expert legal support for all OIG cybersecurity work.
The Cybersecurity Team combats threats by fostering enhancements in IT controls, risk management and resiliency.
The Cybersecurity Team aims to positively impact the cybersecurity culture within HHS by identifying and making actionable recommendations to address cybersecurity vulnerabilities and threats. OIG recently issued products that have improved cybersecurity within HHS and the broader health care ecosystem.
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP): OIG Office of Investigations, Computer Crimes Unit contributed to the enhancement of cybersecurity to align industry approaches by assisting with the development of a common set of voluntary, consensus-based, and industry-led guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use to enhance cybersecurity.
Summary Report for Fiscal Year 2016 OIG Penetration Testing of Four HHS Operating Division Networks: OIG successfully completed penetration testing across HHS. Actionable configuration management and access control vulnerabilities were identified and reported.
Hospitals Largely Reported Addressing Requirements for EHR Contingency Plans: OIG has conducted numerous evaluations that affected vulnerabilities of protected health information security. One notable report examined contingency plans for electronic health record (EHR) disruptions, such as natural disasters or technical malfunctions. Contingency plans, which are required by the HIPAA Security Rule, specify processes to recover EHR systems and access backup copies of EHR data in the event of a disruption.
OIG's Cybersecurity and Information Technology Audit Division conducts independent cybersecurity and IT audits of HHS programs, grantees, and contractors; while OIG's Office of Evaluation and Inspections conducts broad evaluations of HHS cybersecurity-related programs.
Listed below are publicly issued reports that have positively affected HHS programs and strengthened cyber-defenses of HHS programs.
Page last updated: January 10, 2019