The Office of Inspector General (OIG) at the Department of Health and Human Services (HHS) has called for the Health Resources and Services Administration (HRSA) to bolster oversight of the cybersecurity of the Organ Procurement and Transplantation Network (OPTN). This public-private partnership is managed by the United Network for Organ Sharing (UNOS), a nonprofit that links all professionals involved in the donation and transplantation system. It holds the personal and medical information of organ donors, transplant candidates and transplant recipients.
The OPTN’s IT systems are essential for the timely matching of organs with people awaiting organ donation. Such a process requires the confidentiality, integrity, and availability of data to be strictly maintained. The HHS has labeled the OPTN a High-Value Asset, signifying the critical importance of its IT systems. If hackers were to breach the system, it could lead to serious disruption and prevent organs from being matched in time, potentially leading to life-threatening consequences. Despite this, UNOS has been criticized for the inadequacy of their IT systems, as well as the lack of technical capabilities to upgrade them to be secure and effective. UNOS claims that security controls are in place to guarantee the privacy, accuracy, and availability of data in their IT systems, though some remain skeptical of the potential vulnerabilities to malicious actors.
In 2018, the HRSA modified the contract with UNOS to require compliance with FISMA and NIST cybersecurity guidelines and increased oversight of the OPTN, including ensuring that appropriate monitoring of compliance with FISMA and NIST standards was conducted. As a result, a review was done by OIG to assess the HRSA’s implementation of appropriate cybersecurity controls for the OPTN to guarantee the confidentiality, integrity, and availability of donation and transplantation data, as well as to assess the adequacy of HRSA oversight of UNOS’s implementation of cybersecurity. OIG’s review included reviews of selected general IT controls to evaluate if they had been implemented according to Federal requirements, such as the system security plan, risk assessment, access controls, configuration management, system monitoring, flaw remediation, and vulnerability assessments. Penetration tests of the OPTN were also reviewed. OIG found that most IT controls had been implemented in accordance with Federal requirements but identified several areas that HRSA could improve upon. NIST gave policy and procedure controls the highest priority code, yet UNOS had several policies and procedures either not existing or in draft form. Access control and risk assessment policies and procedures were still in draft and system monitoring policies and procedures were absent. The OIG also noted a high risk of local site administrators not deactivating local user accounts on time, and this could go undetected by UNOS for up to a year.
OIG urged HRSA to increase oversight to confirm that the contractor for the OPTN is following all federal cybersecurity laws in a timely manner. HRSA stated that the majority of the cybersecurity protocols evaluated by OIG had been instituted by UNOS, and that additional steps were taken to improve monitoring and control, such as appointing an OPTN Information System Security Officer to supervise the contractor’s cybersecurity efforts. Furthermore, HRSA has taken action to complete all policy and procedure drafts, put together Plans of Action and Milestones (POAMs) to guarantee that inactive user accounts are disabled and removed quickly, and ensured UNOS has applied two-factor authentication for all users.