While HHS is continuing to strengthen its information security program, the agency still has security weaknesses that need to be addressed.
The Office of Inspector General today released findings and recommendations based on its audit of the U.S. Department of Health and Human Services (HHS) to measure its compliance in 2018 with the Federal Information Security Modernization Act of 2014.
The Federal Information Security Modernization Act of 2014 requires the Inspector General to perform yearly evaluations of the information security programs and practices of HHS to determine the effectiveness.
The Office of Inspector General reviewed Federal laws, regulations and guidance and learned about the current programs implemented at the agency. Four operating divisions were selected and assessed and then the Office of Inspector General recommended areas for improvement.
After review, the Office of Inspector General found that HHS is continuing to strengthen its information security program. The agency is still working to implement a department-wide Continuous Diagnostics and Mitigation program with the Department of Homeland Security.
HHS has established a risk framework for evaluating and reporting risks and has given an information technology (IT) strategy to operating divisions to help leaders make better risk decisions. The agency’s Office of the Chief Information Security Officer also hosts monthly meetings to discuss new risks and trends to each operating division.
The agency has defined guidelines for the appropriate security configuration of information systems and has established roles to be implemented at the operating divisions. Each operating division needs to develop product-specific baselines, implement the baselines and monitor them to determine the proper response to misconfigurations.
But one of the operating divisions had a large number of vulnerabilities that were not being addressed in a timely manner. And another operating division had IT assets deployed with security configurations that were not being supported by the vendor to address emerging threats.
The Office of Inspector General found weaknesses in each of the five cybersecurity framework areas: Identify (risk management), protect (identity and access management, configuration management, data protection and privacy, security training), detect (information security continuous monitoring), respond (incident response), and recover (contingency planning.)
It was recommended that the HHS Office of the Chief Information Officer works with the agency’s operating divisions to enhance its risk management strategy to integrate governance functions for information security, strategic planning and reviews, internal control activities and applicable mission and business areas. Upgrades should include integrating threat modeling for risk assessments and reporting tools for timely responses to new threats.
To improve configuration management, HHS should continue leveraging qualitative and quantitative performance measures to determine the effectiveness of the operating divisions’ plans. It is necessary to base measurements on results from automated toolsets to determine security misconfigurations, unsupported information system components and effectiveness of flaw remediation processes.
In order to improve the effective identity and access management domain, the chief information officer should monitor the operating divisions’ implementation of authentication techniques for all privilege and non-privileged users.
HHS should also update relevant department policies, procedures and guidance and work with the operating divisions to measure the effectiveness of privacy-specific controls and trainings through tracked breaches.
The Office of Inspector General believes that following these recommendations will strengthen the information security program.
Get the best insights in digital health directly to your inbox.