HHS OIG cyber team safeguards medical data

Health care data can be up to 10 times more valuable to cyber criminals than credit card numbers, according to a report from the Health and Human Services Department’s Office of Inspector General. And with health care-focused ransomware attacks like WannaCry and NotPetya in the news more frequently, HHS OIG wants stakeholders to know its cybersecurity team is working to ensure the department is prepared.

“We feel we are well aligned to take-on the challenges of the future,” Jarvis Rodgers, director of the Cybersecurity and IT Audit Division, said in an email. “Our team is continuing to expand our knowledge base in application development security. We know that poorly designed webpages, phone applications and [internet of things] devices can lead to a wealth of vulnerabilities that are costly to repair and can last throughout the life of the system. Supply chain vulnerabilities that originate from nation states also present a unique set of challenges and we are enhancing our knowledge base to identify and mitigate these threats. Overall, we want to maintain our focus on identifying real-world and actionable vulnerabilities that C-level officials can interpret and address timely.”

A new page on the HHS OIG website highlights the team’s three-pronged approach to combating threats: enhance IT controls, risk management and resiliency. In other words, the team ensures the agency is protected from vulnerabilities, looks to find those vulnerabilities before they can be exploited, and ensures the department can recover if an incident does occur.

The team has performed audits on Medicare’s primary system, penetration tests of HHS’ networks, and reviews of federal, state and contractor information security systems.

The team has four divisions:

  • The Office of Audit Services, Cybersecurity and Information Technology Audit Division;
  • The Office of Evaluation and Inspections;
  • The Office of Investigations, Computer Crimes Unit; and
  • The Office of Counsel.

Rodgers said the divisions cross collaborate well to accomplish their goals.

“Although our organizational structure is hierarchical, we operate a flat structure in practice,” he said. “We are geographically dispersed throughout the country and we aim to establish a culture where every team member is responsible for an important aspect of a cybersecurity audit. This has created accountability and ownership, everyone on the team understands they have a significant role in the cybersecurity of HHS, and their work could have reverberations throughout the broader healthcare ecosystem.”

That may be part of the reason the team has a low turnover rate. Rodgers said it hasn’t had to deal with attrition like other parts of the federal cyber community. But that doesn’t mean it’s immune to the government’s struggles to retain talented cyber personnel.

“To help mitigate the talent gap, we have utilized contracting resources as well as enhancing the technical training available to our employees,” he said. “Our penetration testing is a great example where contractors were used to perform work and train our employees. The contractor provided subject matter expertise which served the dual role of guiding more complex cyber-testing, as well as training and growth opportunities for our team. We believe this hands-on training where our team is embedded with cybersecurity experts has provided great value.”