Evolving Cyber Threats Prompt Agencies to Hone in on Data Security

The COVID-19 pandemic increased the need for data sharing and security as agencies quickly pivoted to remote environments, and health officials say information sharing will remain a critical component in federal health care after the pandemic. With the increased data services, agencies are looking at a multi-tiered approach to technology to prevent unwanted access and intruders.

The Centers for Medicare and Medicaid has a robust set of policies to share data with the National Institutes of Health and the Centers for Disease Control and Prevention. In fact, CMS built dedicated servers for COVID analysis alone, said Andy Shatto, deputy director of CMS’ Office of Enterprise Data and Analytics, during FedInsider’s Enhancing Patient Data Sharing virtual event.

But during the pandemic, health data became increasingly susceptible to ransomware and data breaches — unleashing a new set of IT challenges. This prompted agencies like the Veterans Health Administration to implement new security protocols while ensuring data to still be readily available.

Joe Ronzio, deputy chief health technology officer at VHA, recommends federal health care officials start from a FISMA high data protection standard to eliminate vulnerabilities and increase security of sensitive federal information.

“Most people are coming in at the FISMA moderate level,” Ronzio said. “That makes it very difficult for us to interoperate, as well as interact and purchase commercial-off-the-shelf software because we’re expecting a higher level of security.”

Emerging technologies like advanced business analytics and machine learning have helped the agency secure health data, but there’s still room for improvement, Ronzio said.

This is where a multi-tiered approach to technology helps prevent unwanted access. One way is through encryption.

“Having things that can break existing encryption algorithms, or a segment of existing encryption algorithms, means that we need to be improving and planning for the future,” Ronzio said. “You have to lean forward into these problems, so as an attacker is developing a new technique, you want to have that discussion with your business partners.”

Following the SolarWinds breach and Colonial Pipeline hack, NIH Clinical Center CISO David Olson said that it’s vital for government overall to evaluate the threat landscape and take a proactive approach to avoid future attacks.

NIH’s Clinical Center is focusing on IT asset management to expand its knowledge of software, hardware and licenses, and to better understand its environment and allocate resources. It’s also important to have a patching strategy, Olson said.

“Pick the top vulnerabilities that you have. We have a list of five to 10 categories, and we really try to dive into them and figure out the best approach to bring them down based on what the priority is and what the risk means to the organization,” Olson said.

In order to be an effective steward of health data, agencies must invest in its workforces to advance training and knowledge bases. Meaningful education on phishing and vishing will help federal employees to decipher these threats, Olson said.

“You have to engage at levels and job roles at an organization, not just security. We have the expertise, so we have to use that to speak to a broader audience,” he said. “We need to understand what others in the organization see and how we can help them.”

Olson recommended agencies perform gap analysis to understand areas that need attention. From there, organizations should develop a roadmap based on the security recommendations. NIH’s Clinical Center is also incorporating security and privacy into its electronic health record training so that security is baked into the process.

“It’s more important than ever that everyone looks at the threat landscape and creates an approach to avoid being victims,” Olson said.