Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

COMING SOON: New Look for HHS OIG. Learn More >>

U.S. Flag An official website of the United States government.
Change Font Size

Cybersecurity

OIG recognizes Protecting HHS Data, Systems, and Beneficiaries from Cybersecurity Threats as a top management and performance challenge facing HHS. In partnering with various HHS agencies to address this challenge, OIG has formed a multidisciplinary Cybersecurity Team comprised of auditors, evaluators, investigators and attorneys focused on combatting cybersecurity threats within HHS and the healthcare industry.

  • Office of Audit Services, Cybersecurity and Information Technology Audit Division: conducts independent cybersecurity and IT audits of HHS programs, grantees and contractors.
  • Office of Evaluation and Inspections: conducts broad evaluations of HHS cybersecurity-related programs.
  • Office of Investigations, Computer Crimes Unit: conducts criminal investigations concerning allegations and incidents that affect HHS programs and operations, primarily involving violations of the Computer Fraud & Abuse Act.
  • Office of Counsel: provides expert legal support for all OIG cybersecurity work.

The Cybersecurity Team combats threats by fostering enhancements in IT controls, risk management and resiliency.

Impact

The Cybersecurity Team aims to positively impact the cybersecurity culture within HHS by identifying and making actionable recommendations to address cybersecurity vulnerabilities and threats. OIG issued products that have improved cybersecurity within HHS and the broader health care ecosystem.

Summary Report for Fiscal Year 2016 OIG Penetration Testing of Four HHS Operating Division Networks: OIG successfully completed penetration testing across HHS. Actionable configuration management and access control vulnerabilities were identified and reported.

Hospitals Largely Reported Addressing Requirements for EHR Contingency Plans: OIG has conducted numerous evaluations that affected vulnerabilities of protected health information security. One notable report examined contingency plans for electronic health record (EHR) disruptions, such as natural disasters or technical malfunctions. Contingency plans, which are required by the HIPAA Security Rule, specify processes to recover EHR systems and access backup copies of EHR data in the event of a disruption.

Reports

OIG's Cybersecurity and Information Technology Audit Division conducts independent cybersecurity and IT audits of HHS programs, grantees, and contractors; while OIG's Office of Evaluation and Inspections conducts broad evaluations of HHS cybersecurity-related programs.

Listed below are publicly issued reports that have positively affected HHS programs and strengthened cyber-defenses of HHS programs.

Report Issue Date
The Food and Drug Administration's Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices (A-18-16-30530) 10/29/2018
States Follow a Common Framework in Responding to Breaches of Medicaid Data, OEI-09-16-00210 10/16/2018
FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices (OEI-09-16-00220) 9/10/2018
CMS Enrollment System Needs To Enhance Resiliency (A-18-17-06501) 9/04/2018
Maryland Did Not Adequately Secure Its Medicaid Data and Information Systems (A-18-16-30520) 8/9/2018
Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2017 (A-18-17-11200) 3/6/2018
Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2016 (A-18-17-11300) 2/9/2018
Summary Report for FY 2016 OIG Penetration Testing of 4 HHS Operating Division Networks (A-18-17-08500) 12/19/2017
The State of North Carolina Did Not Meet Federal Information System Security Requirements for Safeguarding Its Medicaid Eligibility Determination Systems and Data (A-07-16-00486) 12/7/2017
Two Indian Health Service Hospitals Had System Security and Physical Controls for Prescription Drug and Opioid Dispensing but Could Still Improve Controls (A-18-16-30540) 11/28/2017
Alabama Did Not Adequately Secure Its Medicaid Data and Information Systems (A-04-15-05065) 9/8/2017
The State of North Carolina Did Not Ensure That Federal Information System Security Requirements Were Met for Safeguarding Its Medicaid Claims Processing Systems and Data (A-07-16-00469) 8/16/2017
Information Technology Control Weaknesses Found in the New Mexico Human Services Department's Medicaid Eligibility Systems (A-06-16-05000) 8/9/2017
Virginia Did Not Adequately Secure Its Medicaid Data (A-04-15-05066) 5/12/2017
Information Technology Control Weaknesses Found at the Commonwealth of Massachusetts' Medicaid Management Information System (A-06-15-00057) 3/9/2017
Review of HHS Compliance with the FISMA for FY 2016 (A-18-16-30350) 2/13/2017
Review of Medicare Contractor Information Security Program Evaluations for FY 2015 (A-18-16-30300) 1/17/2017
New York Implemented Security Controls Over Its Health Insurance Exchange Web Site and Database But Could Improve Security Controls (A-02-15-03001) 11/7/2016
The State of Colorado Did Not Meet Federal Information System Security Requirements for Safeguarding Its Medicaid Systems and Data (A-07-15-00463) 10/4/2016
Information Technology Control Weaknesses Found at the Minnesota Health Insurance Exchange (A-06-15-00035) 9/26/2016
HHS' Security Management Practices for Computer Systems With Access to PII (A-18-16-30150) 8/16/2016
Wireless Penetration Test of the CMS' Data Centers (A-18-15-30400) 8/10/2016
Hospitals Largely Reported Addressing Requirements for EHR Contingency Plans (OEI-01-14-00570) 7/22/2016
Washington State Implemented Security Controls Over the Web Site and Database for Its Health Insurance Exchange but Could Improve Protection of PII (A-09-15-03005) 6/1/2016
Review of Medicare Contractor Information Security Program Evaluations for FY 2014 (A-18-15-30200) 4/22/2016
Review of the HHS' Compliance with FISMA for FY 2015 (A-18-15-30300) 3/2/2016
South Carolina Did Not Meet Federal Information System Security Requirements for Safeguarding Medicaid Management Information System Data and Supporting Systems (A-04-13-05049) 2/11/2016
Connect for Health Colorado Generally Protected PII on Its Health Insurance Exchange Web Sites and Databases but Could Continue To Improve Information Security Controls (A-07-15-00454) 2/10/2016
Connect for Health Colorado Generally Protected PII on Its Health Insurance Exchange Web Sites and Databases but Could Continue To Improve Information Security Controls (A-07-15-00454) 2/10/2016
Inadequate Security Management Practices Left Utah Department of Health Sensitive Medicaid Data at Risk of Unauthorized Disclosure (A-07-15-00455) 1/19/2016

Page last updated: November 6, 2018

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201