The Health and Human Services' inspector general found several oversight and cybersecurity issues during an audit of the Organ Procurement and Transplantation Network. (Army)

The Department of Health and Human Services Office of the Inspector General audit of the national Organ Procurement and Transplantation Network (OPTN) found several oversight issues in need of improvement, to ensure federal cybersecurity requirements are met in a timely fashion. 

Specifically, the policies and procedures for the United Network for Organ Sharing (UNOS) had no policies or procedures for system monitoring, while its access control and risk assessment procedures and policies were only in draft form.

OIG also found a “high risk of local site administrators not deactivating local site user accounts in a timely manner. The only assurance that site administrators deactivated local site user accounts was an annual user account audit that was conducted by the local site administrator.” 

“A terminated user’s account could still be active and used to access the OPTN for up to a year after termination, which would not be considered a timely deactivation, especially considering that bad actors leverage dormant but still active accounts to improperly access systems and data,” according to the report.

No cybersecurity standards and requirements until 2018 for OPTN

The Health Resources and Services Administration (HRSA) is part of HHS and tasked with administering the OPTN. The HRSA chief information security officer (CISO) is responsible for overseeing the cybersecurity controls. Prior to 2018, however, “neither the OPTN contract nor the National Organ Transplant Act (NOTA) included cybersecurity requirements and standards.” 

“Because HRSA did not believe it could compel compliance with these requirements before 2018, it conducted only limited oversight of the OPTN’s cybersecurity,” according to the report. 

HRSA modified the contract with UNOS in 2018 to include NIST and FISMA requirements, thereby improving its cybersecurity oversight of OPTN to include monitoring capabilities. In 2020, the assessment included 141 of the 385 NIST controls.

As such, OIG sought to audit this program and reviewed multiple IT controls used by UNOS to determine whether these measures were implemented in accordance with those federal requirements. Auditors also requested and reviewed documentation for the selected controls and interview personnel.

While HRSA has most of the IT controls needed to protect the privacy and security of transplant data, OIG found the agency needs to strengthen key cybersecurity policies and confirm whether access requirement reviews are being performed.

OIG is concerned that “without finalized, written policies and procedures, there’s a high risk UNOS staff may not fully understand or perform as intended their roles and responsibilities as they pertain to certain cybersecurity controls, or that the OPTN will not comply with NIST controls as required by the FISMA,” according to the findings. 

These gaps could result “in essential cybersecurity controls not being implemented properly or at all.” Further, some the missing controls are crucial to timely detection of cyberattacks or “verify access is restricted and the integrity of the organ matching process is maintained.”

HRSA tracks security policies and tools in a spreadsheet to ensure all controls are audited annually, or at least every three years. UNOS contracted with a third-party security firm in 2020 and 2021 to pen test the organ database, as part of HRSA’s plan of action and milestones.

While there are a number of positive improvements and policies in place for this crucial list, OIG found several areas where HRSA should focus its efforts. In particular, HRSA failed to ensure some of the federally required cybersecurity controls were in place for the OPTN and should improve oversight of UNOS to bolster user access reviews and policy implementations.

Under NIST, organizations must develop, document, disseminate, review, and update policies and procedures for each security control family to address management, compliance, and coordination needs. 

“Because of the critical role of the OPTN and the sensitive data it contains, a security breach could have significant consequences for vulnerable patients,” the auditors noted.

HRSA moves to finalize draft policies and procedures for OPTN

In its defense, HRSA officials explained there was a lack of clarity on and limitation to its OPTN responsibilities in the previous contract. OIG noted that the agency proactively created a plan of action during the audit period to address the lack of policy documentation for certain control families, including those identified by OIG.

OIG is encouraged by the steps HRSA has taken to improve the gaps in its oversight controls and procedures of the OPTN and the OPTN contractor. Namely, HRSA has already “taken action to finalize the policies and procedures that were in draft during our audit and improve the access controls of OPTN.”

HRSA has also added an OPTN information system security officer (ISSO) tasked with oversight of security controls, security procedures, security deliverable schedules, and security compliance assessments. The ISSO will also work with UNOS to ensure the system maintains the proper security documents, mitigates issues, and other security needs.

OIG recommended HRSA develop additional oversight controls and procedures, like deliverable schedules and compliance assessments ensure the OPTN contractor is in compliance with all “Federal cybersecurity requirements and implements security controls over the OPTN in an effective and timely manner.”