Government & Policy

OIG finds OPM still struggling with security

By Jack McCarthy
November 30, 2015
07:55 AM

The Office of Personnel Management (OPM), victim of a massive data breach in July in which personal records of 21.5 million individuals were compromised, continues to struggle to meet security requirements, according to an audit by OPM's Office of Inspector General (OIG).

The audit found that the OPM has made some progress improving security practices. But it found the agency lacking in many areas.

The audit outlined several recommendations which the OPM should take to meet the security requirements mandated under the Federal Information Security Modernization Act (FISMA).

"In FY 2015 OPM was the victim of a massive data breach that involved the theft of sensitive personal information of millions of individuals," the audit said. "For many years we have reported critical weaknesses in

OPM's ability to manage its information technology (IT) environment, and warned that the agency was at an increased risk of a data breach.

"In the wake of this data breach, OPM is finally focusing its efforts on improving its IT security posture," the report continued. "Unfortunately, as indicated by the variety of findings in this audit report, OPM continues to struggle to meet many FISMA requirements."

The OIG said the audit shows an "overall lack of compliance that seems to permeate the agency's IT security program."

The agency showed poor judgment by delaying a full security assessment while it migrates applications into a new technical infrastructure, the audit said. "Combined with the inadequacy and non-compliance of OPM's continuous monitoring program," the audit said, "we are very concerned that the agency's systems will not be protected against another attack."

Among the findings, OPM has up to 23 systems that have not been subject to a thorough security controls assessment. "Combined with the inadequacy and non-compliance of OPM's continuous monitoring program, we are very concerned that the agency's systems will not be protected against another attack," the OIG said.

OPM has also failed to accurately inventory its systems and network devices, "drastically" diminishing the effectiveness of its security controls. While OPM has implemented a large number of improved security monitoring tools, without a complete understanding of its network, it cannot adequately monitor its environment and therefore the usefulness of these tools is reduced, the audit said.

The audit found that OPM's system development life cycle policy is not enforced for all system development projects; it does not maintain a comprehensive inventory of servers, databases, and network devices; and it does not have a mature continuous monitoring program in which security controls for its systems are adequately tested in accordance with its own policy.

In addition, auditors were unable to independently confirm OPM has a mature vulnerability scanning program. Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-11-11; many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy; and the agency has not configured its virtual private network servers to automatically terminate remote sessions in accordance with agency policy.

The OIG made 26 recommendations. The auditors said OPM should develop and maintain a comprehensive inventory of all servers, databases, and network devices that reside on the OPM network. The OPM's Office of the CIO (OCIO) should develop a plan and timeline to enforce the new Systems Development Lifecycle (SDLC) policy to all of OPM's system development projects. Additionally, the OCIO should implement a process to ensure routine vulnerability scanning is conducted on all network devices documented within the inventory.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

VA building signage
House passes veterans healthcare package without RESET Act

Most Read

What Loper Bright and the end of Chevron deference mean for HHS
India to harness ABDM data to develop public AI
South Korea to digitise medical image exchange system
ASTP intros 2024 draft Federal FHIR Action Plan
VA must strengthen controls addressing EHR performance
HHS investing $75 million in rural healthcare infrastructure

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

BJ Schaknowski of symplr
Too many IT systems with limited alignment impacts care quality
Doctor in scrubs using computer
Tenet to deploy AI platform across its physician network
Healthcare CIO with other healthcare executives
Health system CIOs' strategic responsibilities continue to evolve
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards
Clinicians look at diagnostic imaging
American College of Radiology launches AI quality registry
A doctor with glasses sits at a desk and speaks during a telehealth visit.
DEA and HHS extend virtual prescribing for controlled substances through 2025
Dr. Jay Anders at Medicomp Systems_Computer chip with stethoscope Photo by Just_Super/iStock/Getty Images Plus
Transparency and responsible AI are crucial for medical devices
George Pappas of Intraprise Health on cybersecurity
How to protect telemedicine from cyberattacks