OIG again finds HHS’s infosec program ineffective

Health
By Liam

Similar to last year’s findings, the Office of Inspector General said Tuesday that U.S. health and human services continue to struggle to identify, detect, respond to and recover from information security threats.

WHY IT’S IMPORTANT

In its annual audit required by the Federal Information Security Modernization Act of 2014, OIG said it assessed HHS programs and practices against the core and supplemental metrics.

The efforts found that HHS was “ineffective” in meeting maturity for all five functional areas within the NIST framework for federal agencies – Identify, Protect, Detect, Respond and Recover – OIG said in its new report.

OIG said it has made six recommendations to HHS to strengthen its information security program through improved oversight and implementation of information security controls:

  • Update the enterprise architecture systems inventory and software/hardware asset inventories with the information systems and components operating on the HHS network.
  • Fully implement a cybersecurity risk management strategy to assess and respond to identified risks within the agency and identified across all operating divisions, monitor for emerging risks and monitor risks, and confirm implementation.
  • Require operating divisions to include security impact analysis of major changes prior to implementation to measure the impact on the organization’s security and business architecture and confirm implementation.
  • Require operating divisions to implement an effective supply chain risk management program that meets defined standards within HHS, and confirm that implementation is consistent with established standards.
  • Require operating divisions to monitor background investigations conducted for employees and contractors with logical access throughout the agency, and to continuously monitor new and existing users to ensure that operating divisions are aware of their investigation status users.
  • Confirm that operating division policies require monitoring privileged user accounts for both logging and activity reviews, in an automated manner.

THE BIG TREND

FISMA requires federal agencies’ Inspectors General to conduct annual independent reviews of their agencies’ information security programs and practices to determine the effectiveness of those programs and practices.

While meeting FISMA requirements has been a challenge for many federal agencies, HHS has struggled to meet the requirements in recent years. And as recently as July, OIG said an audit and testing of the agency’s cloud systems revealed deficiencies in its defenses.

The agency “has not accurately identified and inventoried all of its cloud systems in accordance with HHS security requirements,” OIG said in it report.

“Even though HHS has implemented some security measures to protect its cloud systems, several key security controls have not been effectively implemented in accordance with federal requirements and guidance.”

Overall, most federal agencies have been found inadequate in their implementation of information security policies and practices.

Two years ago, the Government Accountability Office said yes there are major inconsistencies in complying with FISMA. Seventeen of the 23 civilian agencies have failed to fully achieve their cybersecurity goals, and the inspectors general of 16 of those agencies reported ineffective infosec programs in their annual audits.

In September, in accordance with the Health Information Technology for Economic and Clinical Health Act, HHS published its Federal Health IT Strategy 2024-2030. In the plan, HHS aligned its cybersecurity goals with the Healthcare Industry Concept Paper published last year and the voluntary healthcare-specific Cybersecurity Performance Goals the agency presented to the healthcare industry in January.

ON THE RECORD

“HHS agreed with five of our recommendations,” the watchdog agency said in the audit report.

“HHS disagreed with the recommendation to complete the implementation of a cybersecurity risk management strategy because it believes the current strategy is sufficient.”

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

You might also like More from author