Overall, the OIG found HHS made improvements over last year, but there are a number of areas that could be improved. “Exploitation of these weaknesses could result in unauthorized access to, and disclosure of, sensitive information and disruption of critical operations for HHS,” according to the OIG report.
Here are 10 findings from the audit.
1. Continuous monitoring management. HHS has a formalized information security continuous monitoring program, but did not implement a department-wide continuous monitoring program.
2. Configuration management. A number of HHS’ operating divisions did not address risks presented by vulnerabilities discovered through configuration baseline compliance.
3. Identity and access management. Some of HHS’ operating divisions did not implement account management procedures for new personnel, transferred personnel, terminated personnel and shared accounts.
4. Incident response and reporting. The OIG found HHS did not have oversight processes in place to manage incident response and reporting.
5. Risk management. There were no implemented procedures in place to ensure system inventories are complete, accurate and effectively managed.
6. Security training. Some of the operating divisions did not complete role-based training for security responsibilities.
7. Plan of actions and milestones. HHS and its operating divisions did not consistently document plans of action and milestones.
8. Remote access management. Some of HHS’ operating divisions did not have formal and finalized policies and procedures for remote access management.
9. Contingency planning. The OIG found a number of HHS’ operating divisions did not have documented and/or updated contingency plans and documentation in accordance with HHS requirements.
10. Contractor systems. HHS operating divisions lacked sufficient oversight of contractor systems.
HHS Acting CIO Beth Killoran responded to the audit in a letter. “We look forward to continuing our collaborative efforts to enhance information technology security and further implement safeguards and practices that protect HHS data and the health information of the American public,” she wrote.
More articles on health IT:
Premier’s fears averted: Stolen laptop that risked a 206k-patient data breach returned without incident
‘Healthcare is ground zero for cyberattacks’: 5 thoughts from CHIME’s Russell Branzell
GE Healthcare to add 60 jobs in Chicago
