The IT infrastructure office at the Department of Health and Human Services has some serious security problems. This after the office received a less than satisfactory security report card from the Office of Inspector General this week.
After reviewing the security controls at HHS' Office of Information Technology Infrastructure and Operations, or ITIO, OIG officials found significant security deficiencies in several areas that could impact data security at multiple divisions of HHS.
[See also: OIG: Certified EHRs aren't so secure.]
OIG, which tested security controls, interviewed security personnel and reviewed policies and procedures in place at ITIO in fall 2013, concluded that office, which is responsible for IT security and network services at the Administration for Children and Family, Administration for Community Living along with Health Resources and Services Administration, had poor patch management controls. "We identified some vulnerabilities that, if exploited, could have led to unauthorized disclosure, modification or unavailability of critical data," OIG officials wrote in the report.
Due to security reasons, those vulnerabilities were not specifically identified.
Other failings identified included improper antivirus management, inadequate tracking of IT assets and poor configuration management and USB port control access.
After conducting a similar review on HRSA IT security controls, the Office of Inspector General found similar deficiencies, with one of them being substandard encryption and anti-virus practices. HRSA which currently has a database of some 22 million people to whom it currently provides healthcare services.
