Cybersecurity

HHS-OIG Releases Cybersecurity Toolkit | Foley Hoag LLP – Security, Privacy, Law

On March 26, 2024, the HHS Office of Inspector General (OIG) released a cybersecurity toolkit for HHS leaders to help plan and implement information systems in response to disasters and public health emergencies. This toolkit provides key questions and considerations based on the cybersecurity standards used by the OIG in its HHS information systems assessment work, many of which are applicable to the private sector as well. However, this toolkit is not intended to comprehensively cover or ensure compliance with all federal or health service-specific IT or cybersecurity requirements, and is not intended to comprehensively cover or ensure compliance with all federal or health service-specific IT or cybersecurity requirements, and is It is intended to inform and coordinate discussions with stakeholders.

This toolkit shows cybersecurity leaders the who, why, when, where and what questions to ask themselves. He also covers two scenarios: using and modifying existing or in-house information systems and purchasing off-the-shelf products. For each scenario, the toolkit suggests his four courses of action to ensure an effective cybersecurity posture. This includes developing a testing timeline, assessing the system’s impact on risk classification and exposure, identifying and testing existing controls, and updating and backgrounding the emergency plan. Up procedure. The toolkit also advises HHS leaders to consult with cybersecurity subject matter experts and government officials (DHS CISA, NIST), such as the CIO and her CISO. The toolkit also encourages leaders to specify in contracts that contractors must meet applicable federal IT security requirements and regulations.

Although this toolkit is a valuable resource for HHS leaders who need to quickly deploy information systems to support mission-critical activities, it does have some limitations and challenges. First, the toolkit does not provide specific guidance or tools for conducting cybersecurity tests, assessing risks, or implementing controls, requiring additional resources and expertise from HHS or external sources. It may be necessary. Second, this toolkit provides guidance on how HHS leaders should monitor and assess the performance and security of information systems after deployment, or how to respond to incidents or breaches that may occur. is not mentioned. Third, this toolkit does not allow for the collection of sensitive data, such as personal health information, in new or changed information systems, which could raise privacy, compliance, or liability issues for HHS and its partners. We do not discuss the legal and ethical implications of processing or maintaining it. .


Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button