- HHS has made great progress in working to improve its cybersecurity measures and overall approach to stronger cyber hygiene, according to a recent White House report.
HHS has aligned its approach to cybersecurity with the Cybersecurity Act of 2015 and the Cybersecurity National Action Plan, stated the annual report to Congress on the Federal Information Security Modernization Act of 2014.
“In particular, HHS has improved its Cyber Hygiene capabilities to patch critical vulnerabilities, implemented a program to review the security protections on our High Value Assets, and significantly increased the use of Personal Identity Verification (PIV) credentials,” the report explained. “HHS is moving forward with the Continuous Diagnostics and Mitigation (CDM) program and has procured additional tools that will enhance the program.”
Report authors added that HHS has been working with the Department of Homeland Security (DHS) to improve its ability to share cyber threat indicators and defensive measures in real time.
For the report, federal agencies were evaluated across the five NIST Cybersecurity Framework core functions (Identify, Detect, Protect, Respond, and Recover).
The Inspector General assessment found HHS to have implemented those core functions as follows:
- Identify (Level 3 – consistently implemented)
- Detect (Level 3 – consistently implemented)
- Protect (Level 2 – defined)
- Respond (Level 3 – consistently implemented)
- Recover (Level 3 – consistently implemented)
In 2016, HHS implemented a comprehensive anti-phishing program and developed the CyberCare program to disseminate security information to White House staff, the report explained. Furthermore, the agency developed a new HHS information technology (IT) Strategic Plan. The plan focused on the importance of the Federal Information Technology Acquisition Reform Act (FITARA) and described “a vision in the delivery of IT to enable the mission.”
“HHS continues to work towards implementing a department-wide CDM program to include continuously monitoring networks and systems, updating and finalizing policies and procedures, documenting Operating Division’s (OPDIV) progress to address and implement strategies and reporting through DHS dashboards,” the report authors wrote.
The agency is also conscious of areas to continue making improvements in information security, including but not limited to configuration management, identity and access management, risk management, and incident response.
“HHS also needs to ensure that all OPDIVs consistently review and remediate or address the risk presented by vulnerabilities, consistently implement account management procedures, and accurately track systems to ensure they are operating with a current and valid ATO,” stated the report. “This will strengthen the program and further enhance the HHS mission.”
HHS released its IT strategic plan earlier this year, and said that it is part of an HHS collaborative effort to fully realize all benefits of IT.
“New capabilities, including Application Programming Interfaces (APIs) and open source frameworks to support data exchange and business intelligence, ‘big data,’ and the ‘Internet of Things,’ manifest themselves in cloud-based Electronic Health Records, Telemedicine, Remote Patient Monitoring, and Wearable Technology,” wrote HHS CIO Beth Anne Killoran. “Modernizing core systems at HHS increasingly relies on these new digital technologies, fundamentally changing the way that information is created, preserved, and shared in more user-friendly and accessible ways.”
HHS explained that it wanted to focus on the IT workforce, cybersecurity and privacy, shared services, interoperability and usability, and IT management.
The agency must also improve the security and privacy posture of data and information systems, the report stated. HHS needs to effectively prevent, monitor, and rapidly respond to emerging threats and vulnerabilities.
“Improved governance and integrated technical capabilities empower HHS leadership to make risk-based decisions,” the report’s authors wrote. “By partnering with the private sector and other Federal agencies, HHS further expands its access to lessons learned and best practices, and creates two way communication of emerging threats and vulnerabilities.”