Governance , Incident Response , Privacy

HHS Incident Response Will Be Scrutinized

Watchdog Agency Also to Examine Obamacare Security Controls
HHS Incident Response Will Be Scrutinized

A federal watchdog agency has added two security-related evaluations to its to-do list: assessing the Department of Health and Human Services' incident response capabilities and reviewing internal IT and security controls of federal Affordable Care Act health insurance enrollment systems.

See Also: IoT is Happening Now: Are You Prepared?

In a separate development, the OIG on Sept. 20 issued a report summarizing findings of the watchdog agency's recent review of Alabama's Medicaid Management Information Systems, which found that the state did not adequately secure its systems.

More Frequent Work Plan Updates

Previously, the HHS Office of Inspector General updated its public-facing work plan website once or twice each year. In June, OIG announced it would begin updating its work plan website monthly "in order to enhance transparency around OIG's continuous work planning efforts." (See What's on HHS OIG's Plans for Scrutinizing Security in 2017?).

OIG plans to issue in 2018 a report on its review of HHS incident response, as well its report assessing the federal marketplace enrollment systems.

"OIG's evaluation of HHS's security and privacy incident response preparedness will be very valuable," says Kate Borten, president of The Marblehead Group consultancy. "Any shortcomings in the department's response plan could easily lead to or exacerbate a breach involving protected health information, personally identifiable information and other confidential information assets."

FISMA Requirement

OIG notes that the Federal Information Systems Modernization Act, or FISMA, requires federal agencies to implement policies and procedures for detecting, reporting and responding to security incidents.

"Increased threats to critical cyber-based infrastructure systems have created a need for government agencies to increase their computer security efforts," OIG writes in the updated plan.

"Incidents involving cybersecurity and privacy threats, such as malware, malicious user activity, and vulnerabilities associated with highly interconnected technology, require a skilled and rapid response to reduce their likelihood and to reduce or mitigate loss or destruction of data, loss of funds, loss of productivity, and damage to the agency's reputation," OIG says. "We will determine whether HHS has sufficiently implemented incident response capabilities to safeguard the department's information technology systems and data."

An OIG spokesman declined to comment on whether the recent string of malware and other cyberattacks, such as WannaCry and NotPetya, prompted the watchdog agency to add an incident response review of HHS to OIG's work plan.

The spokesman notes, however: "OIG has regularly been doing FISMA reviews of HHS agencies for years," including in fiscal 2016.

Federal Marketplace Enrollment Systems

As for OIG saying it's developing "new work" focused on CMS' federal marketplace enrollment systems, the watchdog agency notes the review "may include inquiries into operational readiness, internal controls, and IT security for the fifth open enrollment period" of the Affordable Care Act, also known as Obamacare. "This work may build on prior OIG work addressing marketplace operations," the report states.

OIG and another government watchdog agency, the Government Accountability Office, have previously scrutinized the security of Obamacare insurance enrollment systems,

For instance, last September, OIG and GAO officials separately testified at Congressional hearings about various security concerns, including patch management vulnerabilities, regarding Obamacare federally facilitated and state insurance marketplaces (see GAO: Obamacare Enrollment Fraud Vulnerabilities Persist).

Alabama Medicaid Systems

Meanwhile, in its recent review of Alabama Medicaid, OIG notes that while the state had adopted a security program for its Medicaid systems, "numerous significant system vulnerabilities remained."

These vulnerabilities remained because "Alabama neither implemented sufficient controls over its [Medicaid] data and information systems nor provided sufficient oversight to ensure that HP, Alabama's Medicaid fiscal agent, implemented contract security requirements," the OIG reports.

Although the OIG says it did not identify evidence that anyone had exploited these vulnerabilities, "exploitation could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations. These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Alabama's Medicaid program."

OIG recommended that Alabama improve its Medicaid security program "to secure Medicaid data and information systems in accordance with federal requirements, provide adequate oversight to its contractors, and address the vulnerabilities identified during [the] audit."

OIG notes in the report that Alabama concurred with its recommendations and described steps that it had taken or planned to take to address them.

The review of Alabama's Medicaid systems security is one of a number of HHS OIG reviews of states' computer systems used to administer HHS-funded programs. For instance, in May, OIG released a report finding weaknesses in Virginia's Medicaid Management Information System (see HHS OIG Recommends Virginia Medicaid Address Security Gaps).


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network