HHS OIG: HHS Information Security Program Rated ‘Not Effective’

The Department of Health and Human Services’ Office of Inspector General has published the findings of its annual evaluation of the HHS information security programs and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). It was determined that the HHS information security program has not yet reached the level of maturity to be considered effective.

The independent audit was conducted on behalf of the HHS’ OIG by Ernst & Young (EY) to determine compliance with FISMA reporting metrics and to assess whether the overall security program of the HHS met the required information security standards.

The HHS was assessed against the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework across the FISMA domains: Risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring (ISCM), incident response, and contingency planning.

The levels of maturity for information security are Level 1 (Ad hoc policies); Level 2 (Defined); Level 3 (Consistently Implemented); Level 4 (Managed and Measurable); and Level 5 (Optimized policies). It is necessary to achieve Level 4 for an information security policy to be considered effective.

As of September 30, 2020 the HHS had made progress since the previous audit and had implemented several changes to strengthen the maturity of its enterprise-wise cybersecurity program. There were improvements across all FISMA domains, including increased maturation of data protection and privacy and continuous monitoring of information systems.

However, the HHS was given a “not effective” rating due to the failure to achieve the Level 4 maturity level in any of the 5 functional areas – Identify, Protect, Detect, Respond, and Recover function. The audit revealed there were deficiencies within the Identify, Protect, and Respond functional areas and the maturity level was below Consistently Implemented for some FISMA metric questions, both at the HHS overall and at selected operating divisions (OpDivs), in Contingency Planning.

The HHS achieved Defined (Level 2) for 17 FISMA metrics and Consistently Implemented (Level 3) for 42 FISMA metrics but had yet to achieve Managed and Measurable (level 4) in any of the IG FISMA metrics. There was no change in any of the FISMA metrics from the audit in FY19, although the audit revealed progress had been made in several individual IG FISMA metrics, such as consistent implementation of data exfiltration systems, ongoing Authorization to Operate (ATO) monitoring, and configuration management controls. Progress had not been achieved in other areas due to the lack of information security continuous monitoring across the different HHS operating divisions, which is essential for providing reliable data for informing risk management decisions.

Several recommendations were made to strengthen the HHS’ enterprise-wide cybersecurity program. The HHS concurred with 11 of the recommendations and did not concur with 2.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.