OIG recognizes Protecting HHS Data, Systems, and Beneficiaries from Cybersecurity Threats as a top management and performance challenge facing HHS. In partnering with various HHS agencies to address this challenge, OIG has formed a multidisciplinary Cybersecurity Team comprised of auditors, evaluators, investigators and attorneys focused on combatting cybersecurity threats within HHS and the healthcare industry.
- Office of Audit Services, Cybersecurity and Information Technology Audit Division: conducts independent cybersecurity and IT audits of HHS programs, grantees and contractors.
- Office of Evaluation and Inspections: conducts broad evaluations of HHS cybersecurity-related programs.
- Office of Investigations, Computer Crimes Unit: conducts criminal investigations concerning allegations and incidents that affect HHS programs and operations, primarily involving violations of the Computer Fraud & Abuse Act.
- Office of Counsel: provides expert legal support for all OIG cybersecurity work.
The Cybersecurity Team combats threats by fostering enhancements in IT controls, risk management and resiliency.
The Cybersecurity Team aims to positively impact the cybersecurity culture within HHS by identifying and making actionable recommendations to address cybersecurity vulnerabilities and threats. OIG recently issued products that have improved cybersecurity within HHS and the broader health care ecosystem.
Summary Report for Office of Inspector General Penetration Testing of Eight HHS Operating Division Networks: OIG successfully completed penetration testing across HHS. Actionable configuration management and access control vulnerabilities were identified and reported.
FDA Should Further Integrate its Review of Cybersecurity Into the Premarket Review Process for Medical Devices. In October 2018, FDA implemented our recommendation to promote the use of presubmission meetings to address any cybersecurity-related questions that manufactures may have as they designed and developed their networked medical device and prepared for FDA's device clearance or approval process. FDA released updated guidance in which it encouraged medical device manufacturers to use the presubmission process to discuss, early on, the design considerations that were made to mitigate their device's cybersecurity risks.
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP): OIG Office of Investigations, Computer Crimes Unit contributed to the enhancement of cybersecurity to align industry approaches by assisting with the development of a common set of voluntary, consensus-based, and industry-led guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use to enhance cybersecurity.
Hospitals Largely Reported Addressing Requirements for EHR Contingency Plans: OIG has conducted numerous evaluations that affected vulnerabilities of protected health information security. One notable report examined contingency plans for electronic health record (EHR) disruptions, such as natural disasters or technical malfunctions. Contingency plans, which are required by the HIPAA Security Rule, specify processes to recover EHR systems and access backup copies of EHR data in the event of a disruption.
OIG's Cybersecurity and Information Technology Audit Division conducts independent cybersecurity and IT audits of HHS programs, grantees, and contractors; while OIG's Office of Evaluation and Inspections conducts broad evaluations of HHS cybersecurity-related programs.
Listed below are publicly issued reports that have positively affected HHS programs and strengthened cyber-defenses of HHS programs.
Page last updated: March 21, 2019