The Office of Inspector General says the U.S. Department of Health and Human Services has improved its information security programs, which includes compliance with the Federal Information Security Modernization Act of 2014.

The number of negative findings has decreased from last year, officials said, and HHS "continues to implement changes to strengthen its enterprise-wide information security program."

But OIG found weaknesses in several areas, which included: continuous monitoring, configuration management, identity and access management, risk management, incident response, security training, contingency planning and contractor systems.

One major concern for healthcare is identity and access management. OIG found two of the selected HHS departments didn't follow account management procedures, which included shared accounts and removing inactive accounts in a timely manner, among others.

When identity and access management procedures aren't updated, finalized or distributed, it leads to a lack of clarity in control of access and implementation, officials explained.

Specifically, HHS must ensure all operating divisions "consistently review and remediate or address the risk presented by vulnerabilities discovered." Officials said HHS needs to work on account management procedures, while ensuring HHS is operating with a valid Authority to Operate.

"Exploitation of weaknesses we identified could result in unauthorized access to, and disclosure of, sensitive information and disruption of critical operations at HHS," the report found. "We believe the weaknesses could potentially compromise the confidentiality, integrity, and availability of HHS' sensitive information and information systems."

HHS must also bolster its incident response and reporting, officials said. Policies and procedures weren't consistently updated, and incidents weren't reported to US-CERT in the prescribed timeframe. Further, security training was lacking - "security training policies and procedures at the Department were not reviewed and updated in the last three years."

Overall, OIG commended HHS' work on formalizing its continuous monitoring program, through policies and strategies and the Continuous Diagnostics and Mitigation program, which continuously monitors HHS networks, updates policies and reports its progress to DHS dashboards. But OIG found HHS should enhance continuous monitoring with department-wide guidance and tools.

"The Department should further strengthen its information security program," officials said in a statement. "We made a series of recommendations to enhance information security controls to the Department and specific controls for the operating divisions. The Department concurred with all of our recommendations and described actions it has taken and plans to take to implement them."

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn