Health IT

HHS security goes back to basics

Health professionals looking to implement effective security measures on a budget might want to stick to the KISS principle.

The reason, as Michael McCoy, chief health information officer at the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology, put it: “Common sense is uncommon.”

Speaking alongside other HHS higher-ups, McCoy and his colleagues shared their simple prescriptions for better security as part of the July 31 Health Summit sponsored by AFCEA’s D.C. chapter.

Start, and maybe stay, small

Rose-Marie Nsahlai, a senior adviser in the same HHS office as McCoy, said she has witnessed myriad breaches of basic cyber hygiene in hospital systems.

Most organizations don’t have insider-threat training, they don’t terminate old user accounts or monitor employee activities, and plenty of hospital staff neglect to log off computers and even actively share passwords.

Suzanne Schwartz, of HHS’s emergency preparedness outfit, said she has seen nurses plug their smart phones into medical devices to charge them – without thinking of the potential vulnerabilities that could open.

“There’s a whole laundry list out there [of problems to address],” Nsahlai said. “We can’t address everything but we can address the big areas that need protection.”

“Simple, basic hygiene can mitigate the potential for intrusions,” added Schwartz.

And it’s good that basic steps could yield big results, because money is tight.

“A big data encryption scheme is tremendously expensive,” noted NATO cyber adviser Curtis Levinson as he bemoaned a lack of federal funding for medical system security. Privacy has become a direct function of cryptography, he argued, saying, “unless you encrypt, you become vulnerable to violation.”

(It’s worth noting, as McCoy did at the Health Summit and others have before, that encryption wouldn’t have helped in the Office of Personnel Management breaches.)

Beyond basic cyber hygiene, the medical system professionals offered a range of security suggestions.

Nsahlai decried the lack of user behavior analytics in health care and called for a switch from SHA-1 hashing to the stronger SHA-2.

McCoy recommended national health ID numbers, totally separate from other identifying information, to prevent hackers from having access to the demographic data “gold” we currently send with medical transactions.

It’s something HHS is barred, for now, from implementing he noted, saying, “Congress will have to take the handcuffs off HHS.”

McCoy cautioned against overburdening practitioners with security measures.

He recalled a small faith-based, mission-driven care center, constantly cash-strapped, and wondered whether the security measures they could afford would leave them spending 30 or 60 seconds each time logging on to their systems.

“I am for privacy and I am for security, but I’m also for seeing the patients and getting the work done,” he said. “There’s a balance.”

Steven Hernandez, CISO for HHS’s inspector general, advised a combination of technical and cultural change, and disagreed with McCoy on the burdens of added security.

Employees might complain at first about new security measures, but they’ll get used to them.

“People get on with their day to day,” he said. “[T]hey put in the PIV cards, they get on with it.”

About the Author

Zach Noble is a former FCW staff writer.


  • Government Innovation Awards
    Government Innovation Awards -

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Cybersecurity
    cybersecurity (Rawpixel/

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

Stay Connected