Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Beta This is a new resource

Penetration Test of the Organ Procurement and Transplantation Network

Announced on  | Last Modified on  | Project Number: A-18-22-03400
Status
Completed
Agency
Health Resources and Services Administration

OBJECTIVE

The National Organ Procurement and Transplantation Network (OPTN) is used to assist medical professionals involved in U.S. organ donation and transplantation. OPTN is operated under contract with the Health Resources and Services Administration (HRSA). The OPTN operates a transplant information database containing national data on the candidate waiting list, organ donation and matching, and transplantation. This system is critical in helping organ transplant institutions match waiting candidates with donated organs. If appropriate cybersecurity controls are not implemented, there may be a significant impact to patients and health care providers should there be a cybersecurity incident. We will conduct a penetration test and determine whether HRSA has ensured there are adequate cybersecurity controls over OPTN.

TIMELINE

REPORT PUBLISHED

The Organ Procurement and Transplantation Network IT System’s Cybersecurity Controls Were Partially Effective and Improvements Are Needed (A-18-22-03400)

25-A-18-022.01 to HRSA - Closed Implemented
Closed on 05/19/2025
We recommend that the Health Resources and Services Administration require the OPTN IT system contractor to remediate the 22 vulnerabilities identified and verify that the 22 vulnerabilities identified were remediated.

25-A-18-022.02 to HRSA - Closed Implemented
Closed on 12/05/2025
We recommend that the Health Resources and Services Administration require the OPTN IT system contractor to improve network monitoring by implementing NIST SP 800-53, Revision 5, for the OPTN IT system, to include data loss prevention technology to prevent unauthorized exfiltration of information (Control SC-7(10)) and red-team exercises to simulate attempts by adversaries to compromise organizational systems (Control CA-8(2)).

25-A-18-022.03 to HRSA - Closed Implemented
Closed on 12/05/2025
We recommend that the Health Resources and Services Administration implement procedures to help ensure that the OPTN IT system contractor maintains compliance with federally required cybersecurity controls policies and standards on a continuing basis.

View in Recommendation Tracker
Work Plan Type
Office of Audit Services
HHS Agencies
Health Resources and Services Administration
Issue Areas
Departmental Operational Issues Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Other Funding