- Protecting HHS data systems and beneficiaries from cybersecurity threats is one of the top threats the agency must overcome, according to OIG’s 2017 Top Management and Performance Challenges Facing HHS. The threats need to be addressed using health IT infrastructure tools to ensure HHS data is protected.
The amount of healthcare data being stored is growing exponentially as organizations are collecting more data from networked and Internet of Things (IoT) devices for big data analytics. This data needs to be protected and IT infrastructure security needs to be expanded to accommodate the influx of data.
“Cybersecurity incidents and breaches pose a significant risk to the confidentiality, integrity, and availability of sensitive data,” said OIG. “This could cause a myriad of problems including impeding HHS’s ability to offer essential programs and services. The Department must ensure that it takes appropriate actions to protect all HHS data and systems from cybersecurity threats. Similarly, HHS must protect its beneficiaries by fostering a culture of cybersecurity among its partners and stakeholders.”
One of the key components of protecting HHS systems is making sure infrastructure security systems are up to date and correctly deployed for the type of storage in which it is being applied.
Cloud is still growing, especially as organizations are expanding. Cloud offers a cost-effective way to expand storage capacity without needing to invest in expensive on-premises equipment. The rate data is being collected it too high for organizations to continuously invest in new hardware.
However, as data is moved to the cloud, the same security practices that protected the data for on-premises storage are no longer as effective for cloud deployments. This means that IT administrators need to rethink their security strategy to incorporate data stored both in the cloud and on-premises.
Outdated infrastructure security can lead to cybersecurity vulnerabilities such as inadequacies in access controls, patch management, configuration management, encryption of data, and website security, said OIG.
Modern IT infrastructure and practices must be used, according to OIG. Healthcare projects and programs are becoming dependent on IT infrastructure technology. Organizations are constantly updating their digital tools to move forward with value-based care initiatives and medical research. As covered entities advance their tools, they need to advance their IT security as well to protect the data.
“HHS is the Sector-Specific Agency for the Healthcare and Public Health Sector (HPH) and the Co-Sector-Specific Agency for the Food and Agriculture Sector,” said OIG. “In those roles, HHS is tasked with, among other things, coordinating with Federal partners, collaborating with critical infrastructure owners and operators, and offering support in identifying vulnerabilities and mitigating incidents.”
“The Department must determine how best to support partners’ and stakeholders’ efforts to enhance cybersecurity while being mindful of the wide diversity in the infrastructure and resources available to prepare for, detect, and respond to cybersecurity threats,” OIG continued.
Not all healthcare organizations can afford the most advanced infrastructure security solutions and HHS needs to support all IT infrastructures, regardless how technologically advanced the entity is. This is currently one of the biggest challenges facing HHS, the report noted.
HHS is addressing this challenge by continuing to progress in its effort to identify vulnerabilities and limit unauthorized access to PHI.
HHS also intends to address this challenge by doing away with outdated technology that is not compatible with more modern infrastructure tools. Legacy technology can create security gaps that are hard to detect. Legacy systems are also more prone to system failures which puts patient data at risk.
“As the Department updates or acquires new technology, HHS must also ensure that it aligns with technology priorities defined in legislation and administration policy,” said OIG. “This includes the full implementation of the Federal Information Technology Acquisition Reform Act, modernization of legacy systems, and adoption of modern IT management practices.”
Organizations need to be aware of the influx of networked devices and how those devices are managed and monitored. IT administrators need to have visibility and control over their network to ensure that legacy systems that are waiting to be replaced are not compromised and that all networked devices are only accessing what is necessary.