The HHS’ Office of Inspector General (OIG) has required the Health Resources and Services Administration (HRSA) to enhance supervision of the cybersecurity of the Organ Procurement and Transplantation Network (OPTN).
The OPTN is a nationwide system for assigning and disseminating donor organs to people needing organ transplants. The OPTN is a private-public collaboration that connects all specialists that are active in the donation and transplantation network managed by UNOS or United Network for Organ Sharing. UNOS is a not-for-profit organization that is in charge of handling systems that keep the personal data and medical details of organ donors, transplant candidates, and transplant receivers.
OPTN uses IT systems to quickly match donated organs with individuals waiting for organ donation. There is a very small window of opportunity for delivering donated organs to recipients, which may be only a matter of hours or even days. The IT systems are essential for making sure that the process is effective and call for the maintenance of the integrity, confidentiality, and availability of information all the time. The Department of Health and Human Services has tagged the OPTN as a High-Value Resource.
In case attackers compromise the OPTN systems, the organs may not be matched to the recipient, a life and death situation. The OPTN was criticized because of the obsolete IT systems being used and the insufficiency of technical abilities to improve those IT systems, to make them safe and suitable for the purpose. Although UNOS states that security settings are set up to maintain the integrity, confidentiality, and availability of information in IT systems, vulnerabilities that are exploited by malicious actors may still be present.
Before 2018, the OPTN contract failed to add any cybersecurity needs and specifications since the HRSA didn’t feel it can force compliance, and before 2018, the HRSA merely carried out minimal oversight of OPTN cybersecurity. The HRSA altered the agreement with UNOS in 2018 requiring FISMA and NIST cybersecurity guidelines compliance and increased oversight of the OPTN, which include making sure there was proper tracking of conformity with FISMA and NIST requirements.
OIG carried out a review to figure out if the HRSA had applied proper cybersecurity settings for the OPTN consistent with Federal criteria to protect the integrity, confidentiality, and availability of donation and transplantation information, and to evaluate if enough supervision of UNOS’s cybersecurity was implemented. The OIG audit didn’t include any technical screening, though there were evaluations of some general IT settings to know if they were applied consistent with Federal demands, such as the risk assessment, system security plan, access controls, settings management, system checking, vulnerability remediation, and vulnerability checks. An evaluation was also performed on two penetration testing of the OPTN.
OIG confirmed that the majority of the IT settings were followed according to Federal specifications, however, it identified a number of areas where HRSA can enhance oversight of UNOS. OIG discovered that HRSA didn’t have enough oversight processes for UNOS to make sure that all Federal cybersecurity demands were being fulfilled in a prompt and efficient way. For example, in spite of NIST giving policy and process controls for every security control family given the top priority code, a number of UNOS’s guidelines and procedures either aren’t available or were still in draft. Access regulations and risk assessment guidelines and procedures are still being drafted and system tracking policies and procedures aren’t in place. There was additionally an increased risk that local website administrators wouldn’t disable local site user accounts promptly, and if that happens, UNOS may not be aware of it for around one year until the next yearly user account review was done.
It is stated in the OIG report that with no finished, written guidelines and procedures, there is a big risk that UNOS personnel may not completely understand or execute as expected their jobs and responsibilities as they apply to particular cybersecurity controls, or that the OPTN cannot abide by NIST controls as demanded by the FISMA. Important cybersecurity controls may not be executed appropriately at all.
OIG has suggested that HRSA enhance its oversight to make sure that the OPTN contractor is adhering to all Federal cybersecurity demands and does so promptly. HRSA stated it had made certain that the majority of the cybersecurity controls evaluated by OIG were executed by UNOS, and that it has done what is necessary to reinforce oversight and controls, such as designating an OPTN Information System Security Officer to supervise the contractor’s cybersecurity initiatives. Action has likewise been done to complete all drafted guidelines and procedures, POAMs were made to make sure the prompt deactivation and deletion of inactive user accounts. HRSA has made certain UNOS has put in place 2-factor authentication for all end users.