COVID-19 , Governance & Risk Management , IT Risk Management
HHS's COVID-19 Response, Recovery Efforts to Be Scrutinized
OIG Spells Out Plans for Monitoring Security, Privacy EffortsA federal watchdog agency has established key goals and objectives – including protecting the security of IT infrastructure as well as combating fraud - that drive its oversight of the Department of Health and Human Services’ COVID-19 response and recovery activities.
The HHS Office of Inspector General on Monday released a strategic plan for its oversight of HHS COVID-19 response and recovery “to promote the economy, efficiency, effectiveness and integrity of HHS programs, as well as the health and welfare of the people they serve.”
The watchdog agency notes that the emergence of COVID-19 “has created unprecedented challenges for HHS and for the delivery of healthcare and human services to the American people.”
Four Goals
OIG says its plan sets forth four goals that drive its strategic planning and mission execution with respect to HHS’s COVID-19 response and recovery:
- Protect infrastructure, including the security of HHS information technology and the personal information and data collected and maintained;
- Protect people, including providing oversight and support to help combat fraud and identity theft schemes that endanger individuals;
- Protect funds, including conducting audits and evaluations of HHS’s oversight, management and internal controls for disbursement and use of $251 billion in funding that was appropriated to HHS for COVID-19 response and recovery;
- Promote effectiveness of HHS programs, including identifying successful practices and lessons learned from the COVID-19 response at the federal, state and local levels, and make recommendations to strengthen future emergency preparedness and response.
OIG will assess HHS’s efforts to expand use of telehealth during the COVID-19 outbreak and its implications for future Medicare policies, the agency notes.
Protecting IT Infrastructure
The urgency of protecting HHS's IT infrastructure “is heightened as cyberattacks against HHS, healthcare institutions and researchers have increased since the COVID-19 pandemic started,” OIG notes, pointing to the potential theft of research and intellectual property.
“The technologies that are being employed in COVID-19 response may be subject to cyberattacks,” OIG says. “OIG conducts cybersecurity audits, makes recommendations to strengthen cybersecurity and investigates cybersecurity attacks against HHS.”
”If telehealth services will be a key component in healthcare service delivery, we need to measure the risk posed through use of technologies when the privacy and security safeguards are largely left unregulated.”
—David Holtzman, CynergisTek
Authorities in the U.S. and U.K. have issued alerts in recent weeks warning of hackers targeting research facilities and healthcare organizations that are conducting vaccines trials and testing treatments for COVID-19 (see Lawmakers Demand Details on Fighting China-Linked Hacking).
Audit Plans
To help protect the security and integrity of HHS’s information systems, OIG will:
- Audit HHS capabilities for detecting IT vulnerabilities and incidents, mitigating threats and restoring IT services;
- Audit whether known cybersecurity vulnerabilities related to networked medical devices, telehealth platforms and other technologies being used in COVID-19 response have been mitigated;
- Investigate cybersecurity threats to, and attacks on, HHS systems;
- Provide technical assistance to HHS to support a secure and robust IT infrastructure.
Important Steps
”There is a general sense in the cybersecurity community that we can expect an increase in cyberattacks during this overall situation, so I think it makes sense [for HHS OIG] to focus on these issues,” says privacy attorney Kirk Nahra of the law firm WilmerHale.
“We have been seeing risks because of overall work-from-home issues, increased phishing scams and new issues related to things like telehealth and certain patient access issues, where security controls have been intentionally weakened to facilitate other goals,” he says.
While the surge in remote work and telehealth make sense during the pandemic, the government and the public must think carefully about the potential consequential risks, he adds.
OIG's oversight actions are important “because prior audits have found that HHS and its federated agencies lack vital information security policies, procedures and plans to detect, defend and recover from cybersecurity incidents,” says privacy attorney David Holtzman of the security consultancy CynergisTek.
For instance, last month, the Government Accountability Office reported that HHS had failed to address a number of recommendations from its 2019 audit that uncovered critical vulnerabilities, including the lack of a comprehensive cybersecurity risk management strategy and a process for conducting an organizationwide cybersecurity assessment.
Meanwhile, the unprecedented expansion of telehealth to provide healthcare treatment services during the COVID-19 pandemic requires a careful examination of the cybersecurity threats this potentially introduces, Holtzman adds.
”HHS Office for Civil Rights’ relaxation of enforcement on requirements that are resulting in the use of video conferencing and instant messaging technology that does not meet the requirements of the HIPAA Security Rule needs to be assessed for its impact,” he says.
”If telehealth services will be a key component in healthcare service delivery, we need to measure the risk posed through use of technologies when the privacy and security safeguards are largely left unregulated.”