Kusserow on Compliance: The OIG on Health IT security

Many are not aware of the fact that the HHS OIG boasts having an A-class team that focuses on IT controls and engages in what they refer to as penetration testing or “hacking” into IT systems and networks. With 100 million health care records already compromised and medical records serving as a top target for hackers, healthcare related cybersecurity has become a high priority for the OIG. Health IT offers some unique challenges, in that health records are for a lifetime, whereas credit cards may have a shelf life, if they’re compromised, of just a day or two. This makes them very valuable for criminals that can often realize 60 times more than what a stolen credit card can yield on the dark web. Compromised health information could have wide-ranging consequences, including affecting credit and even someone filing a false tax return with the information. In addition to people’s personal information, there is concern about health care provider and managed care proprietary information.

The OIG IT audits begin with setting an audit objective, which varies according to what they are trying to accomplish. The OIG desires to provide transparent and objective assessments of the security posture of the systems within HHS and those that receive funding from HHS. The OIG engages in penetration testing, as a means to help strengthen IT vulnerabilities. By engaging in penetration testing or “hacking into” IT networks, the OIG is able to provide chief information officers, and sometimes CFOs, with information regarding particular vulnerabilities. Among the common testing of IT systems is determining whether passwords are being changed periodically.  The OIG stated guiding philosophy is that “what gets checked gets done.” By identifying vulnerabilities, they draw management attention to addressing them and raising their awareness to cybersecurity.

The OIG wants to ensure that funds for cybersecurity, and ultimate for technology, are being used judiciously, and overall the OIG is working every day to protect sensitive personal and proprietary data. The OIG is using its resources to enhance awareness around cybersecurity.  The OIG focuses much of its resources on IT controls for the Medicare enrollment database; however the OIG does not confine its work to the Medicare and Medicaid space. The OIG is also looking at IT security at NIH, Indian health hospitals throughout the country, and FDA information on drugs and medical devices. The OIG typically addresses reports to senior level personnel, such as the CEO and Chief Information Officer, and often addresses reports to state administrators for Medicare and Medicaid.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG Work Plan now being updated monthly

The OIG announced that its work planning process is being modified to be more dynamic and to reflect the adjustments being made throughout the year in response to changing priorities and responding to new emerging issues. The OIG, as of June 15, 2017, will now adjust its Work Plan on a monthly basis, rather than semi-annually as has been done previously to ensure that it more closely aligns with the work planning process. The monthly updates will include the addition of newly initiated Work Plan items and the removal of completed items.

The Work Plan sets forth various audits and evaluations that are underway or planned during the fiscal year and beyond. Projects listed in the Work Plan span the Department and include CMS, public health agencies such as the Centers for Disease Control and Prevention (CDC) and National Institutes of Health (NIH), and human resources agencies such as Administration for Children and Families (ACF) and the Administration on Aging. The OIG also plans work related to issues that cut across departmental programs, including State and local governments’ use of Federal funds, as well as the functional areas of the Office of the HHS Secretary. In conducting its work, the OIG assesses relative risks in HHS programs and operations to identify those areas most in need of attention. In evaluating potential projects to undertake, the OIG considers a number of factors, including mandates set forth in laws, regulations, or other directives; requests by Congress, HHS management, or the Office of Management and Budget; top management and performance challenges facing HHS; work performed by other oversight organizations (e.g., GAO); management’s actions to implement OIG recommendations from previous reviews; and potential for positive impact.

New Projects Added

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

 

HHS to receive $73.5B under House funding bill, ACA left out

The 2017 Omnibus Appropriations bill allocates a total of $73.5 billion to HHS for the 2017 Fiscal year, ending September 30, 2017. The House Appropriations Committee released the fiscal year 2017 Omnibus Appropriations bill on May 1, 2017. The bill provides discretionary funding for the federal government and prioritizes health while cutting funding for “ineffective or wasteful programs.”

HHS

The HHS funding represents an increase of $2.8 billion above the 2016 enacted funding level and $3.8 billion above the Obama Administration’s budget request. The budget is split among various agencies within HHS to fund what the bill calls “effective, proven programs.”

Funding

The bill allocates $34 billion to the National Institutes of Health (NIH) for research related to Alzheimer’s, antibiotic resistance, and precision medicine. The legislation includes funding for critical disease prevention and biodefense activities by allocating $7.3 billion for the Centers for Disease Control and Prevention (CDC). The bill provides the Substance Abuse and Mental Health Administration (SAMHSA) with $3.6 billion for 2017, with a focus on prevention and treatment of opioid and heroin use. The legislation provides $6.4 billion for HRSA Health Resources and Services Administration (HRSA), in part to fund Community Health Centers.

CMS and the ACA

The bill allocates $3 billion for CMS program management and operations and, notably, does not provide funding to implement Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) programs. The bill continues prohibitions and restrictions on use of federal funds related to the ACA.

The Empire State woos pharma, biotech industries

The 21st Century Cures Act (Cures Act) was passed by the House on November 30, 2016 and the Senate on December 7, 2016. The President signed it into law on December 13, 2016.  The Cures Act contains three primary titles that makes good on the promise of its name through FDA reforms by accelerating drug and device development and delivery. The Cures Act also creates new administrative positions related to mental health and substance abuse and provides state funding to combat opioid addiction. The President applauded Congress’ approval of the bill, commenting, “I think it indicates the power of this issue and how deeply it touches every family across America.”

In a similar vein, New York Governor Andrew Cuomo and New York City Mayor Bill de Blasio recently unveiled two initiatives that would commit $1.15 billion in funding and tax incentives for education, business development, and job creation in the life sciences sector. Of the total amount,  New York City will be investing $500 million in biotech and life sciences over the next decade via a program called LifeSci NYC, the largest piece is composed of $300 million in tax credits that will be made available to companies building lab space in the city, in order to defray the high costs of construction in the city. The state’s contributions include $250 million in tax incentives for new and existing life science companies, $200 million in state capital grants to support investment in wet-lab and innovation space, and $100 million in investment capital for early stage life science initiatives with an additional match of at least $100 million for operating support from private sector partnerships.

Citing the lack of affordable and appropriate lab space as a barrier to industry, especially in the New York City real estate market, the state and city initiatives will provide more than 3.2 million square feet of innovation space and 1,100 acres of developable land available tax-free at 45 colleges and universities statewide. The availability of grants, land and space would offer an incentive for life science industry to access labs, infrastructure, and other equipment for product development.