On March 26, 2024, the HHS Office of Inspector General (OIG) unveiled a cybersecurity toolkit designed for HHS leaders to effectively plan and implement information systems during disasters and public health emergencies. This toolkit offers crucial questions and considerations based on cybersecurity standards utilized by the OIG in evaluating HHS information systems, which can also be applied to the private sector. It is important to note that this toolkit does not aim to comprehensively cover all Federal or HHS-specific IT or cybersecurity requirements. Instead, it serves to facilitate discussions within the Department and with other stakeholders.
The toolkit outlines essential questions regarding who, why, when, where, and what cybersecurity leaders should be asking themselves. It also addresses two scenarios: utilizing or modifying an existing or in-house information system, and acquiring a commercial off-the-shelf product. For each scenario, the toolkit recommends four action courses to establish an effective cybersecurity posture, such as creating a testing timeline, evaluating the system’s risk categorization and exposure, verifying existing controls, and updating contingency plans and backup procedures. Additionally, the toolkit advises HHS leaders to collaborate with cybersecurity experts like CIOs, CISOs, and government officials (DHS CISA, and NIST). It also emphasizes the importance of requiring contractors to comply with applicable Federal IT security requirements and regulations in contracts.
While the toolkit proves valuable for HHS leaders needing quick deployment of information systems to support essential activities, it presents certain limitations and challenges. Firstly, it does not provide specific guidance or tools for conducting cybersecurity testing, assessing risk, or implementing controls, necessitating additional resources and expertise from HHS or external sources. Secondly, it lacks information on how HHS leaders should monitor and evaluate the performance and security of information systems post-deployment, or manage incidents or breaches that may arise. Lastly, the toolkit does not delve into the legal and ethical implications of handling sensitive data, like personal health information, in new or modified information systems, potentially raising privacy, compliance, or liability issues for HHS and its partners.