According to a report issued this month from the U.S. Department of Health and Human Services (HHS) Office of Inspector General, entitled “2022 Top Management & Performance Challenges Facing HHS,” HHS says that one of its six top management and performance challenges (TMCs) is “Harnessing and Protecting Data and Technology To Improve the Health and Well-Being of Individuals.”
The report states that “The Department continues to improve how it collects, manages, shares, and secures its data. In parallel, HHS is refining its approach to influence and shape how other entities use technology. Yet HHS faces significant challenges to both protect data and technology from persistent cybersecurity threats and improve how the Department and related entities share large amounts of critical data from disparate sources, including public health data, on an unprecedented scale. The importance of managing these challenges is highlighted by critical issues such as addressing inequities across health and human service programs, which often requires foundational improvements to data collection and analysis to better understand the effects on disadvantaged individuals and communities. Continued modernization of HHS data and technology capabilities is needed for HHS and its divisions to fulfill their missions, improve situational awareness, and better prepare for future public health threats and emergencies.”
Further, “HHS’s authorities and policies also shape how technology and individuals’ data are used and protected by other private and public entities. These authorities are increasingly important in a technology-enabled health and human services delivery system. HHS has made progress; however, the ability to access quality data quickly and easily remains a challenge within the Department and in the health care and public health systems. Data collection challenges also hinder better understanding of racial and geographical population disparities. Continued progress on these challenges must happen as the Department continues to respond to multiple, simultaneous emergencies and while the quantity, frequency, and sophistication of cybersecurity risks rapidly increase.”
The report adds that data are central to HHS programs and the organization is continuing to improve its ability to collect, use, and exchange data from disparate sources. The HHS Data Strategy, which aims to address challenges related to data sharing, security, privacy, and governance, is said to be finalized soon.
Moreover, the report recommends that HHS standardize its data governance practices, as they are not consistent. Most importantly, according to the report, HHS is challenged in how it manages and leverages data across its programs—actionable data remains a challenge due to the data being siloed. Eliminating or reducing silos is “essential to improving program management, evidence-based decision making, and benefiting from new technologies.”
The report also explains that access to HHS data should be improved. Some HHS data is publicly available but difficult to navigate due to lack of standardization, limited access, understanding or use of data by stakeholders and the public. The Inspector General also encourages data sharing among healthcare providers, patients, and payers in the report.
Regarding cybersecurity, the report says that “As HHS expands its technological capabilities, increases data sharing among HHS programs and the public, and improves data interoperability in the broader health care and public health systems, it must take crucial steps to modernize its approach to cybersecurity. The importance of improving cybersecurity posture across the Federal Government has been recognized by the President, such as in the May 2021 Executive Order (EO) Improving the Nation’s Cybersecurity, which directed Federal agencies to fundamentally and systemically change their approach to cybersecurity. In support, the HHS Office of Information Security is finalizing its Strategic Plan. HHS efforts will require significant investments in resources as well as cultural and organizational change. To operationalize the EO, OMB directed agencies including HHS to meet specific cybersecurity standards and objectives by the end of FY 2024. These include adopting a ‘zero trust’ security architecture approach. This method requires meaningful organizational change in how HHS implements security across its divisions and programs so that the Department protects the enterprise ‘anytime, anywhere’ regardless of where its assets and resources are located.”
That said, “Although the Department continues to improve its overall cybersecurity posture, OIG and GAO have identified challenges and systemic weaknesses. One persistent challenge is the federated nature of IT and cybersecurity environments across HHS with its vast network of interdependent, increasingly digital health, social, and administrative services. The large scale of HHS’s mission and IT environments dictates that the Department must simultaneously address a range of dynamic cybersecurity requirements along with the specific data and technological needs for each division or program. For example, 24 of NIH’s 28 entities receive individual funding from Congress and administer their own budgets. Each NIH entity designates its own chief information officer (CIO) who coordinates with the NIH CIO.199 IHS also has a decentralized environment with a headquarters, area offices, and individual hospitals and clinics that often have additional health care mandates because they provide direct patient care. This type of environment poses challenges to IHS’s ability to assess, manage, and respond to cybersecurity threats, as well as modernize cybersecurity approaches in order to become resilient in the face of persistent threats.”
Lastly, in “Harnessing and Protecting Data and Technology To Improve the Health and Well-Being of Individuals” section of the report, the Inspector General recommends staying vigilant, as it is key to protecting HHS and health infrastructure security. “HHS’s cybersecurity defenses continue to be tested as cyberthreats persist and adversaries continue to increase their levels of sophistication and maliciousness,” the report says. “In 2022, HHS OpDivs experienced numerous sophisticated phishing and business email compromise attacks on employees. In response, HHS issued an Advisory Notification to mitigate risk for the entire Department. The Department as well as the health care and public health sectors must maintain vigilance. Future sophisticated and novel methods of social engineering, coupled with technical threats, will present cybersecurity challenges and opportunities for cyberattacks.”
