OIG Gives HHS Information Security Program Rating of “Not Effective”

The U.S Department of Health and Human Services’ Office of Inspector General (OIG) has released a report of its annual review of the HHS to assess compliance with the Federal Information Security Management Act of 2014 (FISMA).

An audit of the HHS information security program was conducted by Ernst & Young LLP in 2018 on behalf of OIG. The audit uncovered several security weaknesses in the HHS information security program, including some areas where security had deteriorated compared to the 2017 review. As a result of those weaknesses, the HHS information security program was determined to be “not effective”.

OIG notes in its report that the HHS has made efforts to strengthen security across the entire agency, but overall, those efforts were insufficient to raise the level of maturity of its information security program to the ‘managed and measurable’ level in the five cybersecurity framework areas: Identify, protect, detect, respond, and recover.

In order to attain the managed and measurable level, it is critical for the HHS to implement a continuous diagnostics and mitigation (CDM) program. The HHS has made some progress in this regard and is working with the Department of Homeland Security to ensure its networks and computer systems are continuously monitored and is documenting its progress toward meeting its goals.

Through the CDM program, the HHS will be able to achieve a higher level of maturity for its information security program in years to come, but at present several weaknesses exist in eight key areas across the five cybersecurity framework function areas:

  • Identify: Risk management
  • Protect: Configuration management, identity and access management, data protection and privacy, and security training;
  • Detect: Information security continuous monitoring;
  • Respond: Incident response
  • Recover: Contingency planning

OIG found the HHS had improved in the Identify and Protect areas, but its maturity rating had reduced in the Respond area.

“HHS needs to continue to build towards a working model where all the functional areas interact with each other in real-time and provide holistic and coordinated responses to security events.,” wrote OIG in its report. “This will be achieved as HHS deploys the CDM tools, continues to modernize their IT processes and optimize their security controls, as a result of the data generated and monitored by the CDM tools.”

OIG provided several recommendations on how the HHS can strengthen its information security program and how security can be augmented at specific operating divisions.

The HHS concurred with all of the OIG recommendations and has provided a detailed plan on how those recommendations will be implemented.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.