Health IT

HHS security goes back to basics

Health professionals looking to implement effective security measures on a budget might want to stick to the KISS principle.

The reason, as Michael McCoy, chief health information officer at the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology, put it: “Common sense is uncommon.”

Speaking alongside other HHS higher-ups, McCoy and his colleagues shared their simple prescriptions for better security as part of the July 31 Health Summit sponsored by AFCEA’s D.C. chapter.

Start, and maybe stay, small

Rose-Marie Nsahlai, a senior adviser in the same HHS office as McCoy, said she has witnessed myriad breaches of basic cyber hygiene in hospital systems.

Most organizations don’t have insider-threat training, they don’t terminate old user accounts or monitor employee activities, and plenty of hospital staff neglect to log off computers and even actively share passwords.

Suzanne Schwartz, of HHS’s emergency preparedness outfit, said she has seen nurses plug their smart phones into medical devices to charge them – without thinking of the potential vulnerabilities that could open.

“There’s a whole laundry list out there [of problems to address],” Nsahlai said. “We can’t address everything but we can address the big areas that need protection.”

“Simple, basic hygiene can mitigate the potential for intrusions,” added Schwartz.

And it’s good that basic steps could yield big results, because money is tight.

“A big data encryption scheme is tremendously expensive,” noted NATO cyber adviser Curtis Levinson as he bemoaned a lack of federal funding for medical system security. Privacy has become a direct function of cryptography, he argued, saying, “unless you encrypt, you become vulnerable to violation.”

(It’s worth noting, as McCoy did at the Health Summit and others have before, that encryption wouldn’t have helped in the Office of Personnel Management breaches.)

Beyond basic cyber hygiene, the medical system professionals offered a range of security suggestions.

Nsahlai decried the lack of user behavior analytics in health care and called for a switch from SHA-1 hashing to the stronger SHA-2.

McCoy recommended national health ID numbers, totally separate from other identifying information, to prevent hackers from having access to the demographic data “gold” we currently send with medical transactions.

It’s something HHS is barred, for now, from implementing he noted, saying, “Congress will have to take the handcuffs off HHS.”

McCoy cautioned against overburdening practitioners with security measures.

He recalled a small faith-based, mission-driven care center, constantly cash-strapped, and wondered whether the security measures they could afford would leave them spending 30 or 60 seconds each time logging on to their systems.

“I am for privacy and I am for security, but I’m also for seeing the patients and getting the work done,” he said. “There’s a balance.”

Steven Hernandez, CISO for HHS’s inspector general, advised a combination of technical and cultural change, and disagreed with McCoy on the burdens of added security.

Employees might complain at first about new security measures, but they’ll get used to them.

“People get on with their day to day,” he said. “[T]hey put in the PIV cards, they get on with it.”

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.