HHS-OIG: HHS Information Security Program Not Effective
An audit of the Department of Health and Human Services (HHS) by the HHS Office of Inspector General determined that the information technology security program at the HHS was not effective. The Federal Information Security Modernization Act of 2014 (FISMA) requires HHS-OIG to conduct annual independent audits of the information technology program of the HHS to determine whether the HHS is fully compliant with FISMA.
This year’s audit was conducted at 4 of the 12 HHS operating divisions (OpDivs) and 1 staff division (StaffDiv). HHS-OIG assessed the status of the HHS security program against department and selected OpDivs information security program policies and other standards and guidance. Overall, the HHS information security program was rated ‘not effective,’ as the HHS was unable to meet the Managed and Measurable maturity level for the Core and Supplemental HHS-OIG metrics in the areas of Identify, Protect, Detect, Respond, and Recover, similar to the Fiscal Year 2022 audit.
The OpDivs performed better than StaffDiv, with some of the OpDivs having achieved or almost achieved the Managed and Measurable maturity level, but some OpDivs and the StaffDiv had either stagnated and stopped making progress or had actually regressed and were significantly below the Managed and Measurable maturity level. HHS-OIG said the department has continued to define and update its policies, and those policies have been distributed to OpDivs and StaffDivs, but the HHS must do more than update policies to achieve the Managed and Measurable maturity level.
HHS-OIG recommendations include improving oversight, enhancing and enforcing information security controls, and communicating the findings of the auditto the different OpsDivs and StaffDivs to increase awareness of the identified gaps. The HHS concurred with the department and OpDiv recommendations, and one of the 6 enterprise-wide recommendations. HHS did not concur with 2 recommendations as they were considered duplicative; however, HHS-OIG maintains that while they were similar, they were not identical. One of the non-concurs was for a recommendation that was also made after the 2022 audit, and the remaining two non-concur responses related to the separation of responsibilities between the HHS Office of the Chief Information Officer and OpDivs.
HHS OIG Exclusions List
What You Need To Know
Get The 6 Essentials Checklist For Compliance Officers
A link to your download will be sent to your email address
Your Privacy Respected
HIPAA Journal Privacy Policy
