- The Department of Health and Human Services has made improvements to its information security programs, including in its compliance with the Federal Information Security Modernization Act of 2014 (FISMA), but there are still areas that can become stronger, according to the Office of Inspector General (OIG).
There are still weaknesses in several areas, including but not limited to identity and access management, risk management, incident response, and security training, OIG explained in its report.
Improvements have happened since last year’s FISMA review, OIG stated, as the number of findings have decreased from year to year.
“In addition, HHS and its OPDIVs have implemented continuous monitoring tools that have allowed them to gain more insight to the security compliance of their assets,” the report’s authors wrote. “HHS continues to implement changes to strengthen its enterprise-wide information security program. HHS has formalized its Information Security Continuous Monitoring (ISCM) program through development of ISCM policies, procedures, and strategies.”
Overall, HHS must ensure that all OPDIVs are properly reviewed, and any risk or vulnerabilities need to be remediated or addressed. Account management procedures need to be consistently implemented, systems must be accurately tracked “to ensure they are operating with a current and valid Authority to Operate,” OIG stated.
Identity and access management is one area that is particularly important to healthcare. OIG explained that identity and access and remote access management control weaknesses may increase the risk of inappropriate access to HHS’ network.
“Identity access and remote access policies and procedures that are not updated, finalized and distributed may result in a lack of clarity in the implementation and control of access, thereby leading to potentially unauthorized access to the network resulting in loss, destruction or misuse of sensitive data and resources,” the report’s authors maintained.
The Office of the Chief Information Officer (OCIO), which leads “the development and implementation of an enterprise information technology (IT) infrastructure across HHS” concurred with OIG’s findings. OCIO said it would work to “track mitigation, evaluate trends, identify common issues, and assess adequacy of policies and procedures at the Department and the OPDIV level.”
Incident response and reporting is another key area that can be an issue for healthcare providers. In terms of HHS’ incident response and reporting, OIG stated that policies and procedures were not always updated timely. Incidents were also not tracked and reported to US-CERT in the prescribed timeframe.
“Without updating incident response policies and procedures, tracking incidents accurately, and reporting incidents in a timely manner to US-CERT, HHS faces an increased exposure to security risks to its IT environment,” OIG warned.
It’s important for the OCIO to “implement an adequate oversight protocol to monitor and ensure that the OPDIVs report incidents timely to the CSIRC.” Furthermore, timely updates must be made to reporting policies and procedures.
The OCIO said that the HHS Computer Security Incident Response Center (CSIRC) created a new 2016 program “to perform incident response plan tabletop exercises with each OPDIV,” which should help improve incident response and reporting.
OIG also addressed risk management, specifically noting that the NIST risk management framework, which healthcare providers often utilize, “provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.”
“A risk management framework is the foundation on which an IT security program is developed and implemented by an entity,” OIG explained. “A risk management framework should include an assessment of management’s long-term plans, documented goals and objectives of the entity, clearly defined roles and responsibilities for security management personnel and prioritization of IT needs.”
HHS’ risk management was found to be lacking. For example, OIG reported that the OPDIVs “did not consistently implement the HHS OCIO enterprise-wide and NIST risk management framework.”
Additionally, not having a consistent security authorization process will make it difficult for HHS to determine if the necessary security measures are in place for its IT systems and operations.
“This could lead to inadequate controls across systems that could compromise the security of the systems and lead to unauthorized access and manipulation of data,” according to OIG. “Without reconciling systems inventories, HHS might not have full awareness of all applicable FISMA systems for tracking, reporting, and security authorization purposes.”
OIG also discussed the following areas in where HHS needs to make improvements:
- Continuous monitoring management
- Configuration management
- Security training
- Plan of action and milestones (POA&M)
- Contingency planning
- Contractor systems
Overall, OIG explained that the exploitation of found vulnerabilities could lead to the unauthorized access of sensitive data, or even critical operations disruptions at HHS. It is important for HHS to continue to improve its information security measures to keep its information confidential and secure.