Former officials at the Department of Health and Human Services have challenged key findings of a watchdog investigation into the cybersecurity of COVID-19 data analysis systems that was rescinded last month.
HHS’ inspector general on Aug. 24 quashed the report, which investigated the launch of COVID-19 data collection and analysis technology without authorizations to operate (ATOs) accepting relevant security risks.
Two officials briefed on the investigation refuted its findings, saying the functions provided by the technology to senior medical decision makers in a short time period outweighed any potential cyber risks.
Details of the quashed investigation were obtained by FedScoop last month through a Freedom of Information Act request. The existence of the report was reported earlier today by The Washington Post.
The investigation probed the launch of the agency’s governmentwide COVID-19 data analysis system HHS Protect, which was set up in just nine days. It also focused on a hospital data collection function provided by TeleTracking Technologies, Inc.
Former HHS Chief Information Officer José Arrieta in an interview told FedScoop the contracts were crucial to the agency’s COVID-19 response efforts and said operation without ATO is contractually permissible as long as there is a stated period of time within which to resolve any lingering issues identified.
“The employees that worked on this did an unbelievable job securing the system within the fractured policy rules and regulations that dominate the cybersecurity marketplace, in the wake of the largest cybersecurity attack on an individual agency in the history of the nation,” Arrieta said.
A second former official with direct knowledge of the data contracts said they were critical in giving HHS leadership the data needed to make decisions at speed during the height of the pandemic and challenged cybersecurity concerns raised in the IG report.
Speaking with FedScoop, that official added that the fact TeleTracking’s contract was renewed indicates the value that was provided to the agency at the time.
HHS renewed TeleTracking’s contract in October 2020, and it was renewed for a second time under the new Biden administration in March 2021. The former Administration for Strategic Preparedness and Response official said this was validation that the product was serving medical professionals well. HHS does not plan to renew its contract with TeleTracking when it expires in December, meaning hospital data collection will revert to the CDC, Bloomberg reported in August.
In addition, a third former HHS official with knowledge of frontline operations told FedScoop that the contracts had allowed HHS to distribute lifesaving drugs quickly and equitably at the height of the pandemic.
“There was a void in data collection and reporting,” the former HHS official said. “There was not a national, real-time system in which to know how many hospital beds were taken up by COVID patients, where people were and how sick they were — as measured by intensive care unit (ICU) status or not.”
The official added that the data reporting structure provided at the time by the CDC’s National Healthcare Safety Network was “inadequate to the task at hand”.
HHS Protect was crucial, the third official added, because its more complete data allowed patient cases to be separated into confirmed or suspected and ICU and non-ICU categories. This in turn proved “irreplaceable” in distributing scarce remdesivir, an in-patient medicine, more equitably, the official said.
ATOs are the official management decision given by senior government officials to authorize operation of an information system on behalf of a federal agency. Such a designation explicitly accepts the risk of operating a commercial product within a government department’s systems.
Despite rescinding the report, it is understood that a follow-up audit of security compliance surrounding the portal’s launch is still being planned for tentative completion in fiscal 2023.
An HHS IG spokesperson said: “HHS OIG is an independent, objective oversight agency. We conduct oversight of HHS programs to help reduce waste, abuse and mismanagement and promote economy and efficiency throughout HHS.”
The CDC did not respond to a request for comment.