OIG again deems HHS' infosec program ineffective

In its FISMA review for FY 2024, the watchdog agency said that the U.S. Health and Human Services was unable to meet managed and measurable maturity for core metrics.
By Andrea Fox
10:47 AM

Photo: John M. Lund Photography Inc./Getty Images

Similar to its findings last year, the Office of Inspector General said Tuesday that the U.S. Health and Human Services continued to have difficulty in identifying, detecting, responding to and recovering from threats to information security. 

WHY IT MATTERS

In its annual audit required by the Federal Information Security Modernization Act of 2014, OIG said it reviewed HHS programs and practices against its core and supplemental metrics. 

Through the effort, it found that HHS was "not effective" in meeting maturity for all five function areas under the NIST framework for federal agencies – Identify, Protect, Detect, Respond and Recover – OIG said in its new report.

OIG said it made six recommendations to HHS to strengthen its information security program through improved oversight and information security controls implementation:

  • Update its enterprise architecture system inventory and software/hardware asset inventories to include the information systems and components that are active on the HHS network.
  • Complete implementation of a cybersecurity risk management strategy to assess and respond to identified risks within the agency and identified across operating divisions, watch for new risks and monitor risks, and confirm implementation. 
  • Require operating divisions to incorporate analyses of security impacts of significant changes prior to implementation to measure the impact on the organizations’ security and enterprise architecture and confirm implementation.
  • Require operating divisions to implement an effective supply chain risk management program that meets the defined standards across HHS and confirm implementation is consistent with established standards. 
  • Require operating divisions to establish oversight of background investigations performed for employees and contractors with logical access across the agency and perform continuous monitoring for new and existing users to ensure operating divisions are aware of the investigation status of their users. 
  • Confirm that operating divisions' policies require monitoring of privileged user accounts for both logging and activity reviews in an automated manner. 

THE LARGER TREND

FISMA requires federal agency Inspectors General to perform annual independent evaluations of their agencies' information security programs and practices to determine the effectiveness of those programs and practices.

While meeting FISMA requirements has challenged many federal agencies, HHS has had difficulty meeting requirements in years past. As recently as July, OIG said an audit and testing of the agency's cloud systems found flaws in its defenses.

The agency "did not accurately identify and inventory all of its cloud systems in accordance with HHS security requirements," OIG said in that report

"Also, although [HHS] implemented some security controls to protect its cloud systems, several key security controls were not effectively implemented in accordance with federal requirements and guidelines."

Generally speaking, most federal agencies are found inadequate in their implementation of information security policies and practices. 

Two years ago, the Government Accountability Office said there were broad inconsistencies in meeting FISMA. Seventeen of 23 civilian agencies failed to fully meet their cybersecurity targets, and 16 of those agencies' Inspectors General reported ineffective infosec programs in their annual audits.

In September, per the Health Information Technology for Economic and Clinical Health Act, HHS published its 2024-2030 Federal Health IT Strategy. In the plan, HHS aligned its cybersecurity goals with its Healthcare Sector Cybersecurity concept paper published last year, and the voluntary healthcare-specific Cybersecurity Performance Goals the agency proffered to the healthcare sector in January.

ON THE RECORD

"HHS concurred with five of our recommendations," the watchdog agency said in the audit report.

"HHS did not concur with the recommendation to complete implementation of a cybersecurity risk management strategy, because it believes its current strategy is sufficient."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.