Panel suggests HHS security reboot after 5 hacks in 3 years

The House Energy and Commerce Committee issued a report detailing serious structural flaws at HHS—including operating divisions such as the FDA and National Institutes of Health—that led to poor information or cybersecurity. The Committee noted that the ongoing cybersecurity issues left HHS vulnerable to cyber attacks, including at least five known attacks in the last three years.

On October 15, 2013, an individual gained unauthorized network access to the online submission system of the FDA’s Center for Biologics Evaluation and Research (CBER). The intruder gained unauthorized access to each registered user’s account information, including passwords and associated e-mail addresses. The FDA discovered the breach on the same day it occurred, and deactivated nearly 9,000 accounts considered inactive and reset passwords for the remaining 4,820 active accounts. The active account holders were contacted by e-mail and advised to change their password because of a “technical issue.”

The Committee was especially concerned that this breach, as well as others, employed unsophisticated methods and that “officials at the affected agencies often struggled to provide accurate, clear and sufficient information on the security incidents” during the course of the Committee’s investigation. As a result, the overall adequacy of information or cybersecurity programs at HHS and its operating divisions was degraded.

Operational concerns outweighed security

Many of the security issues suffered by HHS operating divisions shared the same root cause. At the FDA, CMS, and the Office of Civil Rights, security concerns were found to be subordinated to operational concerns. The Committee’s investigation found that the organizational relationship between the chief information officer and chief information security officer at HHS and the operating divisions prioritized operational concerns, which resulted in the security concerns receiving insufficient attention. There were instances where this hierarchy prevented the chief information security officer from requiring full system audits.

Moreover, security officials were not always permitted full access into their own networks, because of contractual relationships with outside contractions. These contractors were found to own and operate portions of the agency networks. In addition, the Committee had several outstanding issues as to whether security personnel had appropriate authorities, or even expertise, to carry out cybersecurity duties. One breach simply resulted from a missing “critical” software patch, and in another instance of expertise concerns, information security officials misidentified a list of hackers as a list of security vulnerabilities.

Recommendations

House committees have increasingly voiced concerns regarding the sharp increase in cyber incidents reported by federal agencies over the past few years (see Cybersecurity a continuing concern for federal agencies, Health Law Daily, April 23, 2015). For the recent HHS breaches, these concerns could be addressed by moving the chief information security officer position to the Office of the General or Chief Counsel, as applicable. The separation of the management of information technology from the management of cybersecurity concerns would remove information or cybersecurity from the information technology “silo” and would facilitate the inclusion of expertise across HHS in cybersecurity decisions.

In particular, the Committee suggested that placement of the chief information security officer within the Office of the General or Chief Counsel specifically acknowledged that information or cybersecurity was a risk-management activity, which traditionally was the purview of the legal team. Reorganization would be an important first step toward creating a system that incentivized better security.