United Network of Organ Sharing Security and IT Management Under Scrutiny
The national network for connecting medical centers with donated human organs faces doubts about its ability to secure data amid mounting concerns over its IT infrastructure.
The newest criticism comes from a federal watchdog review of the Health Resources and Services Administration and the nonprofit United Network of Organ Sharing. As of January, nearly 107,000 individuals were candidates on the Organ Procurement and Transplantation Network waitlist. OPTN is designated by the federal government as a “high-value asset.”
UNOS, which manages its network at the administration’s behest, lacked system monitoring and only had draft procedures for access controls when federal auditors conducted their review.
The OPTN “is a very ‘just in time’ system where the time between an organ becoming available and getting it into the right patient can be measured in days or even hours,” says Benjamin Denkers, chief innovation officer at consultancy CynergisTek.
“Hackers breaching the system could create any number of disruptions to the system connecting available organs with patients in need.”
A statement from an UNOS spokeswoman shared with Information Security Media Group notes that auditors concluded that “OPTN security controls ‘protect the confidentiality, integrity, and availability of transplant data.'”
Publication of the watchdog report comes just days after the Health Resources and Services Administration disclosed an OPTN security compromise and just weeks after a bipartisan Senate report warned that UNOS lacks the know-how to modernize a fragile core IT network.
A review of the data affected by the breach found that “limited” protected health information and personally identifiable information had been entered in a free-text field. Individuals who had access to the data were researchers who signed a data use agreement, making “improper purposes” unlikely.
Affected information may include names, Social Security numbers, dates of birth or death, diagnosis and medications. UNOS tells ISMG it notified 23 patients whose data was affected and that hospitals
“have implemented corrective measures to ensure that de-identified data are entered appropriately in free text fields.” The incident was “not a data breach or a hacking attempt,” says spokeswoman Anne Paschke.
UNOS has been under scrutiny by Congress, with some lawmakers, including the Senate Finance Committee, calling for reforms in how organ procurement and transplants are managed.
The UNOS IT network is “outdated, difficult to use, and often slow to function,” said Diane Brockmeier, chief executive of an organ procurement organization, in written testimony before the committee. The network contains data that could facilitate more efficient organ placement but UNOS doesn’t use it, Brockmeier said.
Analysis by the U.S. Digital Service in 2021 released in redacted form by the committee concluded that UNOS lacks “sufficient technical capabilities” to modernize its IT network. Rather than making substantial upgrades to its IT network such as cloud functionality and real-time integration of its constituent parts, UNOS has gotten by with “hand-waving at change with technical jargon, while making no substantive progress.”
Some of the HHS auditors’ findings about oversight of OPTN’s cybersecurity are also common problems in the larger healthcare sector.
“In many healthcare organizations, the IT department is overhead, meaning IT is necessary for the business operations, but it is not the main mission of the organization. Therefore, IT tends to be underfunded and understaffed,” says Tom Walsh, president of consultancy tw-Security.
“Information security and data privacy are important, but usually not urgent unless there is an incident or a breach. Typically, IT staff are busy addressing urgent requests resulting in routine, operational security tasks get pushed to the back burner,” he says.
In fact, having a chief security officer in a health system or health plan was extremely rare up until a few years ago, Denkers says. “Many healthcare organizations today still bury that function somewhere down in the IT org chart.”