HHS Information Security Program Found Ineffective As Per OIG

The U.S Department of Health and Human Services’ Office of Inspector General (OIG) revealed the results of its yearly evaluation of the HHS’ compliance with the Federal Information Security Management Act of 2014 (FISMA).

Ernst & Young LLP, on behalf of OIG, performed the audit on the HHS information security program in 2018. Based on the audit, there were several security flaws in the HHS information security program, showing various ares to have a significant deterioration of security compared to 2017. Considering those issues, the HHS data security program was deemed “not effective.”

OIG comments in its report that the HHS extended efforts to strengthen security on the whole agency, but in general, there was inadequate efforts to improve the information security program’s maturity to a ‘managed and measurable’ level in the following areas of the cybersecurity framework: Identify, protect, detect, respond, and recover.

To realize a managed and measurable level, the HHS information security program needs a continuing diagnostics and mitigation (CDM) program. Through the CDM program, the information security program could go to a higher maturity level for years later on. Nonetheless, at the moment, there are weaknesses in the five cybersecurity framework function areas. They are as follows:

  • Identify: Risk management
  • Protect: Data security and privacy; settings management; security education; and identity and access management
  • Detect: Constant monitoring of data security;
  • Respond: Response to Incidents
  • Recover: Planning for contingency

According to OIG, the HHS had improved maturity score in the Identify and Protect areas, but diminished its score in the Respond area.

HHS needs to continue to build until a working model is achieved where there is real-time connection in all the functional zones and offer holistic and coordinated responses to security incidents. This may be attained as HHS utilizes the CDM tools, persists to enhance their IT processes and better their security controls, uses the documented and generated information by the CDM tools.

OIG provided several recommendations concerning the fortifying of the HHS’ information security program and enhancement of security at certain operating divisions.

The HHS agrees with the OIG recommendations and provided a comprehensive plan on implementing the recommendations.