Healthcare News & Insights

What hospitals can learn from HHS’ cybersecurity vulnerabilities

The Department of Health and Human Services’ (HHS) Office of Inspector General  (OIG) is passing on a data security lesson from a recent audit it conducted on the rest of the department. 

ThinkstockPhotos-480578561Turns out, even the feds missed some important steps in protecting its system.

This gives hospitals a unique chance to avoid the same mistakes, which is great since there’s still time to correct any issues before the OIG conducts its second phase of HIPAA audits.

In the meantime, the OIG has been busy evaluating other areas of HHS.

Missing security steps

As Healthcare IT News reports, the OIG found several vulnerabilities in two of the other divisions.

In a report on HHS’ Office of Information Technology Infrastructure and Operations (ITIO), the OIG evaluated ITIO’s office security controls, and its policies and procedures that provide network and IT security services to several HHS offices. It also interviewed security personnel at the facility.

During the OIG’s evaluation, it found several issues with:

  • antivirus management
  • configuration management
  • IT asset tracking, and
  • USB port control access.

In its report, the OIG noted it also found issues and inconsistencies with ITIO’s patch management controls, which could have exposed its system and “led to unauthorized disclosure, modification or unavailability of critical data.”

Consistency issues

Additionally, the OIG assessed various agency IT security controls for its report on the Health Resources and Services Administration (HRSA), according to Health IT Security.

The report pointed out that several IT security controls in effect as of December 2013 weren’t fully implemented or monitored. As the OIG noted, not having strong data security controls puts the confidentiality, integrity and availability of information systems at risk.

Overall, the OIG identified vulnerabilities in six areas:

  • IT asset inventory management
  • inconsistently monitoring patch management controls
  • logical access
  • inconsistently monitoring asset’s antivirus status and management
  • enforcement of encryption policies, and
  • USB port control access.

The agency gave HRSA several recommendations on how it could improve its IT security.

Messages for hospital execs

Both audits contain larger messages for any and all facility executives. Many of the issues the OIG highlighted at the other HHS’ agencies dealt with how consistently their systems and security controls were maintained.

It’s a reminder to facilities that cybersecurity and IT infrastructure management must be an ongoing effort to properly secure systems and patient data.

And it’s important for facilities to find and address their own security vulnerabilities while they still have time to fine tune their HIPAA compliance.

If you haven’t done so recently, perform a self-audit of your own IT security controls, encryption, and other protected health information security policies and procedures. Be sure to document these security assessments, as well as what corrective actions you take in the event your facility is later audited.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.