HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies

A Government Accountability Office report has shown federal agencies are struggling to implement effective information security programs and are placing data systems and data at risk of compromise.

In its report to Congress – Federal Information Security – Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices – GAO explained, “The emergence of increasingly sophisticated threats and continuous reporting of cyber incidents underscores the continuing and urgent need for effective information security.” However, “Systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown.”

GAO explained that “The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies in the executive branch to develop, document, and implement an information security program and evaluate it for effectiveness.”

Every year, each federal agency is required to have information security program and practices reviewed by its inspector general, or an external auditor, to determine the effectiveness of the program and practices. In 2016, 24 federal agencies were inspected, but only 7 of those agencies were determined to have effective information security programs.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Critical security weaknesses were discovered during those audits that could lead to a system compromise and the exposure and theft of sensitive data. Security weaknesses were found at 24 federal agencies, including the Department of Health and Human Services, Department of Veteran Affairs, and Internal Revenue Service.

Most of the agencies were discovered to have weaknesses in five control areas, including access controls, segregation of duties, configuration management controls, contingency planning, and agency-wide security management.

The Food and Drug Administration (FDA) was found to have “A significant number of security control weaknesses that jeopardize the confidentiality, integrity, and availability of its information systems and industry and public health data.”

“The National Aeronautical and Space Administration, Nuclear Regulatory Commission, Office of Personnel Management, and the Department of Veteran Affairs had not always effectively implemented access controls over selected high-impact systems.”

“The Internal Revenue Service had weaknesses in information security controls that limited its effectiveness in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer data.”

All agencies had weaknesses in their access controls, 223 configuration management weaknesses were identified at 23 of the 24 agencies. More than half of the agencies did not segregate incompatible duties to prevent unauthorized actions or unauthorized access to assets or records. 623 security management weaknesses across the 24 agencies, and 20 of the 24 agencies had weaknesses in implementing a security training program.

No new recommendations were made in the report, as previous audits have highlighted the vulnerabilities and hundreds of recommendations have previously been made by inspectors general to address those vulnerabilities.

GAO points out that “Until agencies correct longstanding control deficiencies and address our and agency inspectors general’s recommendations, federal IT systems will remain at increased and unnecessary risk of attack or compromise. We continue to monitor the agencies’ progress on those recommendations.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.