A recent report from the Department of Health and Human Services Office of the Inspector General claims that HHS could do better when it comes to protecting federal information.
The gaps range from monitoring to security training and contingency planning.
"Exploitation of these weaknesses could result in unauthorized access to, and disclosure of, sensitive information and disruption of critical operations for HHS," according to Ernst & Young, which conducted the independent audit for the OIG. "As a result, we believe the weaknesses could potentially compromise the confidentiality, integrity, and availability of HHS' sensitive information and information systems."
[Also: OIG identifies big HHS security shortfalls.]
Assistant Inspector General for Audit Services Thomas M. Salmon detailed the findings in a March 2016 report by identifying the 10 areas the auditors found lacking. HHS responded to each finding, concurring with some, taking issue with others:
Continuous Monitoring Management. HHS has formalized its Information Security Continuous Monitoring program through development of ISCM policies, procedures, and strategies. However, HHS has not implemented a Department-wide fully-implemented continuous monitoring program which includes continuously monitoring, updating and finalizing policies and procedures indicating how OPDIVs (operational divisions) address, implement strategies and report on DHS metrics. This includes vulnerability management, software assurance, information management, patch management, license management, event management, malware detection, asset management, and network management.
Configuration Management. Some OPDIVs did not consistently review and remediate or address the risk presented by vulnerabilities discovered in configuration baseline compliance and vulnerability scans performed through Security Content Automation Protocol tools.
Identity and Access Management. Some OPDIVs did not consistently implement account management procedures for shared accounts, new personnel, transferred personnel and terminated personnel.
Incident Response and Reporting. Oversight processes had not been implemented by HHS to enforce incident response and reporting procedures at the OPDIVs.
Risk Management. HHS did not implement procedures to oversee that system inventories are complete, accurate and effectively managed, including reconciling to the OPDIV-managed system inventory tools.
Security Training. Some OPDIVs did not monitor the completion of role-based training for significant security responsibilities and other security training for personnel using IT systems.
Plan of Action and Milestones. Plan of Action & Milestones were not consistently documented and tracked by the OPDIVs and HHS.
[Like Healthcare IT News on Facebook]
Remote Access Management. Some OPDIVs had not developed formal and finalized remote access policies and procedures.
Contingency Planning. Some OPDIVs did not complete required contingency planning documentation, including Business Impact Analysis, Continuity of Operation Plans, and Information System Contingency Plans.
Contractor Systems. Some OPDIVs did not have an effective contractor oversight protocols.
Twitter: @HealthITNews
