Kusserow on Compliance: The OIG on Health IT security

Many are not aware of the fact that the HHS OIG boasts having an A-class team that focuses on IT controls and engages in what they refer to as penetration testing or “hacking” into IT systems and networks. With 100 million health care records already compromised and medical records serving as a top target for hackers, healthcare related cybersecurity has become a high priority for the OIG. Health IT offers some unique challenges, in that health records are for a lifetime, whereas credit cards may have a shelf life, if they’re compromised, of just a day or two. This makes them very valuable for criminals that can often realize 60 times more than what a stolen credit card can yield on the dark web. Compromised health information could have wide-ranging consequences, including affecting credit and even someone filing a false tax return with the information. In addition to people’s personal information, there is concern about health care provider and managed care proprietary information.

The OIG IT audits begin with setting an audit objective, which varies according to what they are trying to accomplish. The OIG desires to provide transparent and objective assessments of the security posture of the systems within HHS and those that receive funding from HHS. The OIG engages in penetration testing, as a means to help strengthen IT vulnerabilities. By engaging in penetration testing or “hacking into” IT networks, the OIG is able to provide chief information officers, and sometimes CFOs, with information regarding particular vulnerabilities. Among the common testing of IT systems is determining whether passwords are being changed periodically.  The OIG stated guiding philosophy is that “what gets checked gets done.” By identifying vulnerabilities, they draw management attention to addressing them and raising their awareness to cybersecurity.

The OIG wants to ensure that funds for cybersecurity, and ultimate for technology, are being used judiciously, and overall the OIG is working every day to protect sensitive personal and proprietary data. The OIG is using its resources to enhance awareness around cybersecurity.  The OIG focuses much of its resources on IT controls for the Medicare enrollment database; however the OIG does not confine its work to the Medicare and Medicaid space. The OIG is also looking at IT security at NIH, Indian health hospitals throughout the country, and FDA information on drugs and medical devices. The OIG typically addresses reports to senior level personnel, such as the CEO and Chief Information Officer, and often addresses reports to state administrators for Medicare and Medicaid.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

HHS says sharing is preparing for cybersecurity threats

Cyber threat information sharing can help efforts to prevent, detect, and respond to cyber-attacks, according to the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Assistant Secretary for Preparedness and Response (ASPR). Premised on the belief that health system preparedness requires knowledge of up-to-date threat information, the ONC and ASPR issued two funding opportunities to develop an Information Sharing and Analysis Organization (ISAO) for the health care sector.

Cyber Threats

As the health system becomes digital and health information takes on an increasingly electronic format, cyber threats have become a regular burden for health systems. Despite the growing threat, many components of the health care system lack the technological abilities to identify and protect themselves from cyber threats. Under the Cybersecurity Information Sharing Act (CISA) agencies, like HHS, were directed to develop tools that can help with the sharing of cybersecurity threat risks. Prior to the CISA, Executive Order 13691, signed on February 13, 2015, encouraged information sharing related to cyber threats between the government and private sector.

Recent Threats

Although some governmental efforts have focused on preparedness, data breaches continue to be a burden for the health care industry. This summer, Banner Health reported a cyberattack potentially affecting the protected health information (PHI) and payment card data of 3.7 million patients. The breach resulted from a hack of Banner’s point-of-sale systems, which may have been connected to its clinical systems. Such a lack of segmentation, may have contributed to the breach. Segmentation is the segregation of a network into areas that limits access to only those people, servers, and applications that need access, as a method of preventing hackers who enter part of a system from gaining complete control. However, the threat of cyber-attack reaches far beyond Banner Health. The scope of cyber threats is readily apparent from HHS’ “wall of shame,” which lists all of the breaches affecting 500 or more people that have been reported to the Office for Civil Rights (OCR).


The idea behind the ISAO is to allow organizations with greater cyber threat knowledge share their understanding with less-equipped organizations. For example, with greater information sharing regarding the risks of segmentation, perhaps the scope of the Banner breach could have been mitigated. HHS hopes by sharing information between HHS and the health care and public health sector, the capacity to better prevent, detect and respond to cyber-attacks will improve. The funding directs an ISAO to:

  • provide cybersecurity information and education on cyber threats affecting the healthcare and public health sector,
  • expand outreach and education activities to assure that information about cybersecurity awareness is available to the entire healthcare and public health sector,
  • equip stakeholders to take action in response to cyber threat information, and
  • facilitate information sharing widely within the healthcare and public health sector regardless of the size of the organization.

HHS hopes its combined funding opportunities—$250,000 that can be renewed for up to five years—will help spread cyber threat information among industry stakeholders and federal partners.