Health IT

HHS security goes back to basics

Health professionals looking to implement effective security measures on a budget might want to stick to the KISS principle.

The reason, as Michael McCoy, chief health information officer at the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology, put it: “Common sense is uncommon.”

Speaking alongside other HHS higher-ups, McCoy and his colleagues shared their simple prescriptions for better security as part of the July 31 Health Summit sponsored by AFCEA’s D.C. chapter.

Start, and maybe stay, small

Rose-Marie Nsahlai, a senior adviser in the same HHS office as McCoy, said she has witnessed myriad breaches of basic cyber hygiene in hospital systems.

Most organizations don’t have insider-threat training, they don’t terminate old user accounts or monitor employee activities, and plenty of hospital staff neglect to log off computers and even actively share passwords.

Suzanne Schwartz, of HHS’s emergency preparedness outfit, said she has seen nurses plug their smart phones into medical devices to charge them – without thinking of the potential vulnerabilities that could open.

“There’s a whole laundry list out there [of problems to address],” Nsahlai said. “We can’t address everything but we can address the big areas that need protection.”

“Simple, basic hygiene can mitigate the potential for intrusions,” added Schwartz.

And it’s good that basic steps could yield big results, because money is tight.

“A big data encryption scheme is tremendously expensive,” noted NATO cyber adviser Curtis Levinson as he bemoaned a lack of federal funding for medical system security. Privacy has become a direct function of cryptography, he argued, saying, “unless you encrypt, you become vulnerable to violation.”

(It’s worth noting, as McCoy did at the Health Summit and others have before, that encryption wouldn’t have helped in the Office of Personnel Management breaches.)

Beyond basic cyber hygiene, the medical system professionals offered a range of security suggestions.

Nsahlai decried the lack of user behavior analytics in health care and called for a switch from SHA-1 hashing to the stronger SHA-2.

McCoy recommended national health ID numbers, totally separate from other identifying information, to prevent hackers from having access to the demographic data “gold” we currently send with medical transactions.

It’s something HHS is barred, for now, from implementing he noted, saying, “Congress will have to take the handcuffs off HHS.”

McCoy cautioned against overburdening practitioners with security measures.

He recalled a small faith-based, mission-driven care center, constantly cash-strapped, and wondered whether the security measures they could afford would leave them spending 30 or 60 seconds each time logging on to their systems.

“I am for privacy and I am for security, but I’m also for seeing the patients and getting the work done,” he said. “There’s a balance.”

Steven Hernandez, CISO for HHS’s inspector general, advised a combination of technical and cultural change, and disagreed with McCoy on the burdens of added security.

Employees might complain at first about new security measures, but they’ll get used to them.

“People get on with their day to day,” he said. “[T]hey put in the PIV cards, they get on with it.”

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.