HHS’ Office Of Inspector General Advises HRSA To Improve Their Oversight Of OPTN Cybersecurity

The Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) has requested the Health Resources and Services Administration (HRSA) to improve their oversight of the cybersecurity of the Organ Procurement and Transplantation Network (OPTN).

The OIG was established to ensure the protection of HHS programs through a nationwide network of audits, investigations, and inspections.The latest audit conducted by the OIG was to determine whether the HRSA had complied with federal requirements to implement appropriate and suitable cybersecurity controls over the OPTN to protect transplant information. The OPTN is a component of the HRSA’s nationwide system for allocation and distributing donor organs to those awaiting organ transplants. The United States’ donation and transplantation system is linked via the public-private organization known as OPTN.

In the audit, the OIG evaluated a number of IT controls that the United Network for Organ Sharing (UNOS) had put in place for the OPTN to assess whether the HRSA was taking sufficient action to ensure the IT controls were federally compliant. To achieve this, the OIG requested documentation on basic IT controls from UNOS and HRSA. Additionally, interviews were conducted with HRSA and UNOS representatives which included demonstrations of the OPTN general IT controls. 

The OIG concluded that the HRSA had ensured that UNOS had implemented the majority of the IT controls evaluated by the OIG in order to secure the transplant data they handle and therefore, were in compliance with the Federal requirements. However, the OIG did identify certain areas where the HRSA’s management of UNOS should be improved in order to guarantee that all Federal standards are promptly addressed. The OIG stated that the HRSA should strengthen its control over UNOS to ensure that proper evaluations of local users’ access to OPTN are conducted and that several crucial cybersecurity policies and procedures are completed and implemented. 

To achieve this, the OIG has advised the HRSA to develop and implement several additional oversight controls and procedures to guarantee the OPTN contractor is compliant with the Federal cybersecurity regulations. These include deliverable schedules, compliance assessments, and monitoring. 

According to HRSA, it is committed to continually improve its oversight of and controls over OPTN. The HRSA has employed federal employees as the OPTN Information System Security Officer and has also stated that they will take further steps to complete and introduce the policies and procedures that were in draft form during the audit.