Government & Policy

HHS, FDA, VA among the 24 federal agencies with ineffective security, report says

Inspector generals and GAO have made hundreds of recommendations to these agencies about deficiencies in security controls, but many have yet to be fully implemented.
By Jessica Davis
October 06, 2017
12:45 PM

The U.S. Department of Health and Human Services, Food and Drug Administration and the Department of Veterans Affairs are among the 24 federal agencies with widespread security failures due to ineffective security programs, according to a new Government Accountability Office report.

The majority of those organizations are struggling in five control areas: access controls, configuration management, segregation of duties, contingency planning and security management. In fact, the report found that most agencies lacked effective security program functions in the fiscal year 2016.

Specifically, the FDA and HHS have “a significant number of security control weaknesses that jeopardize the confidentiality, integrity and availability of its information systems and industry and public health data.”

[Also: HHS to face audit of its own cybersecurity, incident response capabilities]

The FDA hasn’t fully or consistently implemented access controls, such as those meant to manage security configurations to hardware and software. The report also found the FDA lacks a contingency plan and protection for media to ensure the data on these devices are sanitized before being discarded.

Both GAO and inspectors general have made hundreds of recommendations to these agencies to address “security control deficiencies.” However, many have yet to be fully implemented. Further, no new recommendations were made in the report, as the previous audits have highlighted these vulnerabilities.

“The emergence of increasingly sophisticated threats and continuous reporting of cyber incidents underscores the continuing and urgent need for effective information security,” the report authors wrote. But “systems used by federal agencies are often riddled with security vulnerabilities -- both known and unknown.”

“The Federal Information Security Modernization Act of 2014 requires federal agencies in the executive branch to develop, document and implement an information security program and evaluate it for effectiveness,” they added.

Every year, the agencies' security programs and practices are reviewed by an inspector general or outside auditors. Last year, 24 agencies were audited, and only seven were found with effective security. Not only that, but the flaws found could easily compromise the systems.

“Until agencies correct longstanding control deficiencies and address our and agency inspectors general’s recommendations, federal IT systems will remain at increased and unnecessary risk of attack or compromise,” the authors wrote. “We continue to monitor the agencies’ progress on those recommendations.”

Healthcare IT year in review

This was one of our most popular stories of the year.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Topics: 
Government & Policy, Privacy & Security

More regional news

A doctor with glasses sits at a desk and speaks during a telehealth visit.

DEA and HHS extend virtual prescribing for controlled substances through 2025

By
Andrea Fox
November 18, 2024
George Pappas of Intraprise Health on cybersecurity

How to protect telemedicine from cyberattacks

By
Bill Siwicki
November 18, 2024
Doctor talking notes while talking to a tablet

Modernizing acute care: the economic impact of bedside telehealth

November 18, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

A doctor with glasses sits at a desk and speaks during a telehealth visit.
DEA and HHS extend virtual prescribing for controlled substances through 2025

Most Read

Epic and Oracle Health sign on to Veteran Interoperability Pledge
Vendor Notebook: New cybersecurity and EHR performance upgrades 
Texas AG settles with clinical genAI company
Interoperability in healthcare moving forward despite challenges
What Loper Bright and the end of Chevron deference mean for HHS
Particle Health files antitrust suit against Epic

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Dr. Jay Anders at Medicomp Systems_Computer chip with stethoscope Photo by Just_Super/iStock/Getty Images Plus
Transparency and responsible AI are crucial for medical devices
Lee Kim at HIMSS_Global Health Equity Week 2024
AI can be leveraged to improve cybersecurity and health equity
Dr. Keisuke Nakagawa at UC Davis Health_Global Health Equity Week 2024
How artificial intelligence is changing the equation for SDOH integration
Andrea Hsu at National Science and Technology Council_HIMSS24 APAC
Fostering health IT innovation through academic-industrial collaborations

More Stories

U.S. Department of Homeland Security seal
DHS intros framework for AI safety and security, in healthcare and elsewhere
Andrea Hsu at National Science and Technology Council_HIMSS24 APAC
Fostering health IT innovation through academic-industrial collaborations
Doctor smiles and waves into a laptop during a telehealth visit
VA plans to end telehealth copays and fund virtual care access in rural areas
Valerie Rogers at HIMSS_Global Health Equity Week 2024
Technology and policy have a role to play in improving maternal health
Mike Relli at Knight Consulting_Global Health Equity Week 2024
New approaches to improving healthcare access for justice-impacted individuals
HIT professional reviews information on a laptop outside a server room
ASPR seeks feedback on public health orgs' cybersecurity needs
Gabriel Jones of Proprio on AI
Artificial intelligence is enabling big advances in surgery
Pharmacist sorting pills
Deploy RFID technologies to streamline controlled substance management