The Department of Health and Human Services (HHS) has not implemented a department-wide information security program, and as a result, the confidentiality, integrity and availability of its many sensitive records are at risk, according to a recent report by the Government Accountability Office (GAO).HHS is the United States’ largest health insurer, with programs that affect all Americans, be it through direct services or information that helps people choose the appropriate levels of medical care, medicines and other health-related needs. The Centers for Medicare & Medicaid Services (CMS), a division of HHS, provides Medicare and Medicaid services to one in four Americans, according to GAO. “HHS computer networks and systems have numerous electronic access control vulnerabilities related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security related events,” the report reads. “In addition, weaknesses exist in other types of controls designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to applications software.”The report attributes these vulnerabilities to the fact that HHS has not fully implemented a department-wide infosecurity program at all of its various divisions; specifically, the department has not fully implemented elements related to the following eight areas: • risk assessments• policies and procedures • security plans• security awareness and training• tests and reviews of control effectiveness• remedial actions• incident handling• continuity of operations plans “Until HHS fully implements a comprehensive information security program, security controls may remain inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and controls may be inconsistently applied,” the report reads.GAO recommends that department’s secretary instruct its chief information officer to take action toward ensuring that all these points are addressed at all of HHS’ operating divisions.In a response to a draft of the report, HHS officials acknowledged that the department has some improvements to make, but noted that GAO didn’t give any credit for the progress it had already made.Check out the full GAO report and the highlights page. Keep checking in at our CSO Security Feed page for updated news coverage. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe