An official website of the United States government
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Copies can also be obtained by contacting the Office of Public Affairs at [email protected].
09-07-2022 | A-18-21-03100 | Complete Report | Report in Brief
In response to the COVID-19 pandemic, health care providers increasingly deliver care using telehealth technologies. These technologies improve access to care, increase patient convenience, and increase service-delivery efficiency.
Our objective was to determine whether the Indian Health Service (IHS) implemented select cybersecurity controls to protect its telehealth system.
We reviewed applicable IHS and HHS policies and procedures for telehealth technologies, interviewed staff, and reviewed system security documentation to determine whether IHS telehealth technologies was secure. We focused on determining whether IHS designed and implemented cybersecurity controls that are essential to securing IHS telehealth systems components before deployment.
Although IHS deployed a national telehealth system, which increased the availability of health care services during the pandemic, it did not complete select IT controls as required prior to deploying its telehealth system nationally. Specifically, IHS did not complete the contingency plan, risk assessment, finalized authorization to operate (ATO), and system security plan. Additionally, after deployment of the telehealth system, IHS did not remediate known vulnerabilities on some telehealth system devices in a timely manner.
We recommend that the Indian Health Service develop a strategy for identifying, implementing, and testing cybersecurity controls for new information systems that are deployed in an expedited fashion to meet an urgent, mission-critical need. The strategy should define the minimum set of critical controls that must be implemented and tested before the system is deployed, noting the acceptance of risk for not implementing all required controls and stipulate that the full ATO process will be completed within a specific time period. We also recommend that the Indian Health Service ensure that adequate policies, procedures, and training are implemented to ensure that known telehealth vulnerabilities are remediated in a timely manner.
IHS concurred with our recommendations and will develop guidance for inclusion in the IHS Indian Health Manual for expeditiously deploying a new information system for use during emergencies when it is necessary to meet an urgent, mission-critical need. In addition, IHS will review related policies, procedures, and training to ensure they are adequate to address all known system vulnerabilities by December 31, 2022.
Filed under: Indian Health Service