The Department of Health and Human Services (HHS) should improve its cybersecurity oversight of an important organ sharing network service and the nonprofit overseeing it, the inspector general’s office overseeing the federal agency said Monday.
The report serves as a warning that data involving organ donors and receivers may not be adequately protected in the event of a security breach.
“Because of the critical role of the OPTN and the sensitive data it contains, a security breach could have significant consequences for vulnerable patients,” the report reads, referring to the Organ Procurement and Transplantation Network (OPTN).
The inspector general’s office said in the new report that the department’s Health Resources and Services Administration (HRSA) should develop additional oversight controls for the OPTN, which administers organ transplants and testing in the U.S.
That includes ensuring data on deliverable schedules, compliance assessments and monitoring is better protected in the information technology cyberspace.
The OPTN, known for its backlogs and tremendous wait times for patients seeking organs, has come under some scrutiny in recent months.
Earlier this month, the Senate Finance Committee released a report linking 70 deaths and more than 200 organ diseases to a lack of oversight from the OPTN.
The committee report detailed mistakes made with the organ network, including patients who received organs with the wrong blood type or organs that were tossed because of transportation failures.
The OPTN is overseen by the United Network for Organ Sharing (UNOS) on behalf of the federal government. A Washington Post report at the end of July revealed the nonprofit relies on out-of-date technology for the OPTN.
The inspector general’s office launched its audit to determine if the HRSA properly oversaw cybersecurity oversight of the UNOS.
Among the findings were that the HRSA “lacked adequate oversight procedures for UNOS to ensure that all federal cybersecurity requirements were being met in a timely and effective manner.”
“A lack of finalized, written policies and procedures could result in essential cybersecurity controls not being implemented properly or at all,” the report reads.