- Data security controls at the Health Resources and Services Administration (HRSA) were not fully implemented and monitored, according to a recent report from the Office of the Inspector General (OIG). HRSA must improve its data security controls, including in areas such as data encryption policies and antivirus management.
The audit reviewed selected IT security controls in effect as of December 2013, and the fieldwork was performed from January through July 2014, OIG explained. Having strong information security controls is critical to an organization, OIG stated, and they “are the management, operational, and technical safeguards that an organization uses to protect the confidentiality, integrity, and availability of its information systems.”
“Selecting and implementing appropriate information system security controls is critical to the operations and assets of an organization, as well as the welfare of individuals that the organization serves,” the report said.
OIG added that HRSA’s IT needs must be timely, comprehensive, reliable, and cost-effective. Moreover, as an agency under the Department of Health and Human Services (HHS), HRSA improves “access to health care by strengthening the health care workforce, building healthy communities, and achieving health equity.” Therefore, effectively managing IT resources is essential to HRSA, and it must work on the vulnerable areas that OIG uncovered.
In total, OIG found six vulnerable areas that HRSA must improve:
- IT Asset Inventory Management
- Patch Management
- Antivirus Management
- Logical Access
- USB Port Control Access
For encryption, OIG explained that HRSA did not consistently apply its policies, while for antivirus management, HRSA did not effectively monitor the antivirus status of its assets. The patch management controls were also not effectively monitored, the report said.
“HRSA had vulnerabilities that, if exploited, could have allowed unauthorized disclosure, modification, or unavailability of critical data,” OIG said.
Overall, OIG found HRSA’s approach to data security controls inconsistent. The IT asset inventory management approach was also cited as ineffective, while HRSA’s Active Directory user accounts were not consistently reviewed as outlined in HRSA’s policies.
“HRSA concurred with 17 of 18 recommendations and partially concurred with one recommendation and described actions it has taken and plans to take to implement them,” OIG explained in the report.
Improving health data security was cited as one of OIG’s focus points for its Health Reform Oversight Plan for 2015.
“In planning and executing our health reform portfolio we are guided by our four key strategic goals: fighting fraud, waste, and abuse; promoting value, safety, and quality; securing the future; and advancing excellence and innovation,” OIG said in the Health Reform report.
Moreover, marketplaces and related programs are set to be a primary focus for OIG in 2015, including four key areas:
Payments: Are taxpayer funds being expended correctly for their intended purposes?
Eligibility: Are the right people getting the right benefits?
Management and Administration: Is HHS managing and administering Marketplace programs effectively and efficiently?
Security: Is consumers’ personal information safe?
OIG also listed health data security measures under “Potential Work,” which is where OIG will “continue oversight of the security of information technology and consumer information in the Marketplaces, and, as appropriate, investigate threats.”