Cybersecurity

OIG recognizes Harnessing Data To Improve Health and Well-Being of Individuals, which includes improving HHS's cybersecurity posture and promoting the security and privacy of the health care system, as a top management and performance challenge facing HHS. In partnering with various HHS agencies to address this challenge, OIG has formed a multidisciplinary Cybersecurity Team comprised of auditors, evaluators, investigators and attorneys focused on combatting cybersecurity threats within HHS and the healthcare industry.

• Office of Audit Services, Cybersecurity and Information Technology Audit Division: conducts independent cybersecurity and IT audits of HHS programs, grantees and contractors. For information about the Division and joining our team, click here.
• Office of Evaluation and Inspections: conducts broad evaluations of HHS cybersecurity-related programs.
• Office of Investigations, Computer Crimes Unit: conducts criminal investigations concerning allegations and incidents that affect HHS programs and operations, primarily involving violations of the Computer Fraud & Abuse Act.
• Office of Counsel: provides expert legal support for all OIG cybersecurity work.

The Cybersecurity Team combats threats by fostering enhancements in IT controls, risk management and resiliency.

• Impact

  The Cybersecurity Team aims to positively impact the cybersecurity culture within HHS by identifying and making actionable recommendations to address cybersecurity vulnerabilities and threats. OIG recently issued products that have improved cybersecurity within HHS and the broader health care ecosystem.

  Summary Report for Office of Inspector General Penetration Testing of Eight HHS Operating Division Networks: OIG successfully completed penetration testing across HHS. Actionable configuration management and access control vulnerabilities were identified and reported.

  (Video) Deputy Inspector General for Investigations Gary Cantrell was interviewed during a CBS Morning News story about cybersecurity threats.

  FDA Should Further Integrate its Review of Cybersecurity Into the Premarket Review Process for Medical Devices. In October 2018, FDA implemented our recommendation to promote the use of presubmission meetings to address any cybersecurity-related questions that manufactures may have as they designed and developed their networked medical device and prepared for FDA's device clearance or approval process. FDA released updated guidance in which it encouraged medical device manufacturers to use the presubmission process to discuss, early on, the design considerations that were made to mitigate their device's cybersecurity risks.

  Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP): OIG Office of Investigations, Computer Crimes Unit contributed to the enhancement of cybersecurity to align industry approaches by assisting with the development of a common set of voluntary, consensus-based, and industry-led guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use to enhance cybersecurity.

  Hospitals Largely Reported Addressing Requirements for EHR Contingency Plans: OIG has conducted numerous evaluations that affected vulnerabilities of protected health information security. One notable report examined contingency plans for electronic health record (EHR) disruptions, such as natural disasters or technical malfunctions. Contingency plans, which are required by the HIPAA Security Rule, specify processes to recover EHR systems and access backup copies of EHR data in the event of a disruption.

• Reports

  OIG's Cybersecurity and Information Technology Audit Division conducts independent cybersecurity and IT audits of HHS programs, grantees, and contractors; while OIG's Office of Evaluation and Inspections conducts broad evaluations of HHS cybersecurity-related programs.

  Listed below are publicly issued reports that have positively affected HHS programs and strengthened cyber-defenses of HHS programs.

  Report	Issue Date
  HHS Made Some Progress Toward Compliance With the Geospatial Data Act (A-18-22-11400)	9/26/2022
  National Institutes of Health Grant Program Cybersecurity Requirements Need Improvement (A-18-20-06300)	09/22/2022
  The IHS Telehealth System Was Deployed Without Some Required Cybersecurity Controls (A-18-21-03100)	09/09/2022
  The Health Resources and Services Administration Should Improve Its Oversight of the Cybersecurity of the Organ Procurement and Transplantation Network (A-18-21-11400)	08/31/2022
  Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2021 (A-18-22-11300)	7/27/2022
  The Centers for Medicare & Medicaid Services Had Policies and Procedures in Place To Mitigate Vulnerabilities in a Timely Manner, but Improvements Are Needed (A-18-20-06500)	6/29/2022
  Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021 (A-18-21-11200)	4/25/2022
  Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2020 (A-18-21-11300)	7/12/2021
  The Centers for Medicare & Medicaid Services Did Not Account for National Security Risks in Its Enterprise Risk Management Processes (A-18-20-06200)	7/8/2021
  Medicare Lacks Consistent Oversight of Cybersecurity for Networked Medical Devices in Hospitals (OEI-01-20-00220)	6/21/2021
  Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 (A-18-20-11200)	4/6/2021
  Summary Report for Cybersecurity Assessments of Four HHS Operating Division Networks (A-18-20-08012)	3/25/2021
  HHS Operating Division Generally Implemented Cybersecurity Controls Over Key Reporting System But Improvements Are Needed (A-18-20-06001)	3/11/2021
  HHS Operating Division Needs to Improve Controls Over Key Application to Protect Sensitive Data (A-18-19-06002)	12/10/2020
  HHS Made Some Progress Toward Compliance With the Geospatial Data Act (A-18-20-11500)	10/2/2020
  The National Institutes of Health Should Improve Its Stewardship and Accountability Over Hardware and Software Assets (A-18-19-06004)	9/10/2020
  Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2019 (A-18-20-11300)	8/4/2020
  Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2019 (A-18-19-11200)	4/1/2020
  National Institutes of Health Had Information Technology Control Weaknesses Surrounding Its Electronic Health Record System (A-18-19-06003)	2/26/2020

Page last updated: November 4, 2022