HHS falls behind on data security in FY 2015: 10 things to know

Staff -

The HHS Office of the Inspector General conducted a review of HHS' compliance with the Federal Information Security Modernization Act of 2014 for fiscal year 2015.

Overall, the OIG found HHS made improvements over last year, but there are a number of areas that could be improved. "Exploitation of these weaknesses could result in unauthorized access to, and disclosure of, sensitive information and disruption of critical operations for HHS," according to the OIG report.

Here are 10 findings from the audit.

1. Continuous monitoring management. HHS has a formalized information security continuous monitoring program, but did not implement a department-wide continuous monitoring program.

2. Configuration management. A number of HHS' operating divisions did not address risks presented by vulnerabilities discovered through configuration baseline compliance.

3. Identity and access management. Some of HHS' operating divisions did not implement account management procedures for new personnel, transferred personnel, terminated personnel and shared accounts.

4. Incident response and reporting. The OIG found HHS did not have oversight processes in place to manage incident response and reporting.

5. Risk management. There were no implemented procedures in place to ensure system inventories are complete, accurate and effectively managed.

6. Security training. Some of the operating divisions did not complete role-based training for security responsibilities.

7. Plan of actions and milestones. HHS and its operating divisions did not consistently document plans of action and milestones.

8. Remote access management. Some of HHS' operating divisions did not have formal and finalized policies and procedures for remote access management.

9. Contingency planning. The OIG found a number of HHS' operating divisions did not have documented and/or updated contingency plans and documentation in accordance with HHS requirements.

10. Contractor systems. HHS operating divisions lacked sufficient oversight of contractor systems.

HHS Acting CIO Beth Killoran responded to the audit in a letter. "We look forward to continuing our collaborative efforts to enhance information technology security and further implement safeguards and practices that protect HHS data and the health information of the American public," she wrote.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.