• United States



by Dave Gradijan

GAO: Infosecurity Lacking at HHS

Mar 23, 20062 mins
CSO and CISOData and Information Security

The Department of Health and Human Services (HHS) has not implemented a department-wide information security program, and as a result, the confidentiality, integrity and availability of its many sensitive records are at risk, according to a recent report by the Government Accountability Office (GAO).

HHS is the United States’ largest health insurer, with programs that affect all Americans, be it through direct services or information that helps people choose the appropriate levels of medical care, medicines and other health-related needs. The Centers for Medicare & Medicaid Services (CMS), a division of HHS, provides Medicare and Medicaid services to one in four Americans, according to GAO.

“HHS computer networks and systems have numerous electronic access control vulnerabilities related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security related events,” the report reads. “In addition, weaknesses exist in other types of controls designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to applications software.”

The report attributes these vulnerabilities to the fact that HHS has not fully implemented a department-wide infosecurity program at all of its various divisions; specifically, the department has not fully implemented elements related to the following eight areas:

• risk assessments

• policies and procedures

• security plans

• security awareness and training

• tests and reviews of control effectiveness

• remedial actions

• incident handling

• continuity of operations plans

“Until HHS fully implements a comprehensive information security program, security controls may remain inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and controls may be inconsistently applied,” the report reads.

GAO recommends that department’s secretary instruct its chief information officer to take action toward ensuring that all these points are addressed at all of HHS’ operating divisions.

In a response to a draft of the report, HHS officials acknowledged that the department has some improvements to make, but noted that GAO didn’t give any credit for the progress it had already made.

Check out the full GAO report and the highlights page.

Keep checking in at our CSO Security Feed page for updated news coverage.