On March 26, 2024, the HHS Office of Inspector General (OIG) released a cybersecurity toolkit for HHS leaders to help them plan and deploy information systems in response to disasters and public health emergencies. The toolkit provides key questions and considerations based on cybersecurity standards that the OIG has used in its work assessing HHS information systems, and many of these are equally applicable to the private sector. However, this toolkit is not intended to comprehensively cover or ensure compliance with all Federal or HHS-specific IT or cybersecurity requirements, but rather to inform and coordinate discussions within the Department and with other stakeholders.
The toolkit lays out the who, why, when, where and what questions that cybersecurity leaders should be asking themselves. It also covers two scenarios: using and modifying an existing or in-house information system, and acquiring a commercial off-the-shelf product. For each scenario, the toolkit suggests four courses of action to ensure an effective cybersecurity posture, such as developing a timeline for testing, assessing the impact on the system's risk categorization and exposure, identifying and testing existing controls, and updating contingency plans and back-up procedures. The toolkit also advises HHS leaders to consult with cybersecurity subject matter experts, such as CIOs and CISOs, and government officials (DHS CISA, and NIST). The toolkit also reminds leaders to specify in contracts that contractors must meet the applicable Federal IT security requirements and regulations.
The toolkit is a useful resource for HHS leaders who need to rapidly roll out information systems to support mission-essential activities, but it also has some limitations and challenges. First, the toolkit does not provide specific guidance or tools for conducting cybersecurity testing, assessing risk, or implementing controls, which may require additional resources and expertise from HHS or external sources. Second, the toolkit does not address how HHS leaders should monitor and evaluate the performance and security of the information systems after deployment, or how they should handle incidents or breaches that may occur. Third, the toolkit does not discuss the legal and ethical implications of collecting, processing, or maintaining sensitive data, such as personal health information, in new or modified information systems, which may raise privacy, compliance, or liability issues for HHS and its partners.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
Originally published 26 March 2024
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
