- The US federal government needs to do a better job at EHR data security and privacy, concluded a federal IT systems audit by the Government Accountability Office (GAO) released May 23.
The federal government also must ensure privacy is guaranteed when facial recognition systems are used and better protect the privacy of users’ data on state-based health insurance marketplaces, GAO concluded.
To accomplish these goals and improve lax federal cybersecurity in general, agencies should implement the information security program mandated by the Federal Information Security Management Act (FISMA), GAO recommended.
FISMA requires federal agencies to develop, document, and implement an information security program that includes:
• Risk assessment
• Policies and procedures to cost effectively reduce risks
• Plans for providing adequate information security for networks, facilities, and systems
• Security awareness and specialized training
• Testing and evaluation of the effectiveness of controls
• Planning, implementation, evaluation, and documentation of remedial actions to address information security deficiencies
• Procedures for detecting, reporting, and responding to security incidents
• Plans and procedures to ensure continuity of operations
GAO said that federal agencies also need to do a better job of implementing processes for securely configuring operating systems, applications, workstations, servers, and network devices; patching vulnerable systems and replacing unsupported software; developing comprehensive security test and evaluation procedures and conducting examinations on a regular and recurring basis; and strengthening oversight of IT contractors.
The Department of Homeland Security, in particular, needs to support wider adoption of its government-wide EINSTEIN intrusion detection and prevention system, GAO stressed.
In addition, the federal government needs to improve cyber incident response practices, update guidance on reporting data breaches, and develop consistent responses to breaches of personally identifiable information, GAO said.
Federal agencies should expand efforts for recruiting and retaining a qualified cybersecurity workforce and improve cybersecurity workforce planning activities.
“Many agencies continue to be challenged in safeguarding their information systems and information, in part because many of these recommendations have not been implemented,” the audit observed.
GAO said that it has made around 2,700 recommendations to federal agencies to improve their IT security since 2010, including measures required by FISMA. But as of May 2018, around 800 of its recommendations had not been implemented.
There is some good IT health news in the report. HHS had fully implemented the GAO’s software license management recommendations to track and maintain a comprehensive software license inventory and to use the inventory to make decisions and reduce costs.
HHS was one of eight agencies that fully implemented GAO’s software license recommendations. The other agencies were Department of Agriculture, Department of Education, Department of Transportation, Department of Veterans Affairs, the General Services Administration, National Aeronautics and Space Administration, and the US Agency for International Development.
GAO noted that the federal government needs to develop metrics to assess the effectiveness of efforts promoting the NIST Cybersecurity Framework and report on the effectiveness of cyber risk mitigation activities and the cybersecurity posture of critical infrastructure sectors.
In March 2018, the Office of Management and Budget (OMB) issued its annual FISMA report to Congress, which included the agencies’ inspector general’s fiscal year 2017 evaluations. Based on data from 76 inspector general and independent auditor assessments, OMB determined that the government-wide median maturity model ratings across the five NIST Cybersecurity Framework areas did not exceed a level 3 out of five levels.
“In conclusion, FITARA [Federal Information Technology Acquisition Reform Act] and FISMA present opportunities for the federal government to address the high-risk areas on improving the management of IT acquisitions and operations, and ensuring the security of federal IT, thereby saving billions of dollars,” the audit said.
GAO concluded that “further efforts by OMB and federal agencies to implement our previous recommendations would better position them to improve the management and security of federal IT. To help ensure that these efforts succeed, we will continue to monitor agencies’ efforts toward implementing these recommendations.”