HHS-OIG Releases Cybersecurity Toolkit

Colin Zick
Foley Hoag LLP - Security, Privacy and the Law
Contact
LinkedIn
Facebook
X
Send
Embed

Foley Hoag LLP - Security, Privacy and the Law

On March 26, 2024, the HHS Office of Inspector General (OIG) released a cybersecurity toolkit for HHS leaders to help them plan and deploy information systems in response to disasters and public health emergencies.  The toolkit provides key questions and considerations based on cybersecurity standards that the OIG has used in its work assessing HHS information systems, and many of these are equally applicable to the private sector.  However, this toolkit is not intended to comprehensively cover or ensure compliance with all Federal or HHS-specific IT or cybersecurity requirements, but rather to inform and coordinate discussions within the Department and with other stakeholders.

The toolkit lays out the who, why, when, where and what questions that cybersecurity leaders should be asking themselves.  It also covers two scenarios: using and modifying an existing or in-house information system, and acquiring a commercial off-the-shelf product. For each scenario, the toolkit suggests four courses of action to ensure an effective cybersecurity posture, such as developing a timeline for testing, assessing the impact on the system's risk categorization and exposure, identifying and testing existing controls, and updating contingency plans and back-up procedures. The toolkit also advises HHS leaders to consult with cybersecurity subject matter experts, such as CIOs and CISOs, and government officials (DHS CISA, and NIST).  The toolkit also reminds leaders to specify in contracts that contractors must meet the applicable Federal IT security requirements and regulations.

The toolkit is a useful resource for HHS leaders who need to rapidly roll out information systems to support mission-essential activities, but it also has some limitations and challenges. First, the toolkit does not provide specific guidance or tools for conducting cybersecurity testing, assessing risk, or implementing controls, which may require additional resources and expertise from HHS or external sources. Second, the toolkit does not address how HHS leaders should monitor and evaluate the performance and security of the information systems after deployment, or how they should handle incidents or breaches that may occur. Third, the toolkit does not discuss the legal and ethical implications of collecting, processing, or maintaining sensitive data, such as personal health information, in new or modified information systems, which may raise privacy, compliance, or liability issues for HHS and its partners. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Security, Privacy and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide