CMS, NIH ERM programs failed to account for national security risks, says OIG

  • The National Institute of Health (NIH) Clinical Center in Bethesda, Md. An OIG audit found security gaps in the NIH and CMS enterprise risk management (ERM) programs. (Credit: Duane Lempke, CC0, via Wikimedia Commons)

    The Centers for Medicare and Medicaid Services enterprise risk management policies and procedures do not account for national security risks. As a result, CMS programs are unable to ensure its security controls are effective in defending against foreign and domestic adversaries, according to a new Office of the Inspector General audit.

    Instead, CMS policies and procedures rely on the enterprise risk management (ERM) processes from the Department of Health and Human Services, rather than its own requirements.

    It’s the second negative OIG report this month, with a previous audit finding CMS does not have protocols to assess networked medical device cybersecurity in hospital environments.

    Congress asked OIG to audit CMS ERM processes to verify whether it included steps for identifying and assessing national security risks, after an earlier OIG audit determined the risks were considered for the National Institutes of Health. The same audit found NIH also failed to consider risks posed by foreign principal investigators who were allowed access to U.S. genomic data.

    Previous audits have found the security policies and procedures around the electronic health records of NIH may have potentially put the security, confidentiality, integrity, and availability of its data at risk. Another OIG review found risks with the way NIH shared sensitive data.

    Meanwhile, a 2019 audit of HHS, CMS, NIH, and the Food and Drug Administration deemed the agencies’ information security programs “not effective.”

    The latest audit reviewed the ERM and risk assessment policies and procedures of the agency, as well as supporting risk management documentation. OIG also interviewed CMS and HHS workforce members.

    While the Office of Management and Budget requires federal agencies to annually develop complete risk profiles that include the identification and analysis of all internal and external risks, OIG found CMS did not generate an agency risk profile as a component of its ERM program.

    As CMS relied on HHS ERM data, its risk profile didn’t have a detailed analysis of the risks specifically posed to CMS and its programs.

    “Although some CMS programs have access to PII and other sensitive data that adversaries may attempt to access, CMS policies and procedures did not mandate that programs consider national security risks, even though ONS had advised all HHS agencies, to include CMS, that national security is a new or emerging risk,” according to the audit.

    “By not assessing national security risks and implementing mitigating controls, CMS programs and their related data are vulnerable to foreign and domestic adversarial threats,” it added.

    For example, the agency’s Clinical Laboratory Improvement Amendments (CLIA) program could benefit from assessment data that details national security risks, as it oversees and regulates about 260,000 non-research testing labs in the U.S. and across the globe.

    OIG recommended CMS implement a process within its ERM process to address the national security risks of all its programs in accordance with OMB rules, including new or emerging risks to the agency and its programs.

    CMS agreed with the recommendation and is currently in the process of establishing its own enterprise risk management program, based on its previous and current participation in the HHS ERM process. The program will include steps to assess national security risks across CMS and relevant programs.

    “Ensuring tight coupling with agency strategic priorities, this capability will amplify the many component-level risk management activities already underway to an enterprise perspective,” CMS Administrator Chiquita Brooks-LaSure explained.

    “Once mature, these programs will identify and monitor threats, assess vulnerabilities in CMS contracts, and mitigate the potential impact from loss of sensitive or restricted information or damage to critical infrastructure by both insiders and foreign adversaries,” she added.

    As the CMS interoperability rules went into effect on July 1, the security program improvements will certainly support the agency as it moves to increase data sharing between health care providers.