- The enterprise-wide information security program within the Department of Health and Human Services (HHS) has improved, but there are still risk management weaknesses, issues with identity and access management (IAM), and problems in other areas, according to a recent HHS Office of Inspector General (OIG) report.
OIG explained that Federal Information Security Modernization Act of 2014 (FISMA) compliance has also made progress at the federal agency. However, HHS must ensure that all of its operating divisions (OPDIVs) must “consistently review and remediate or address the risk presented by vulnerabilities discovered, consistently implement account management procedures, and accurately track systems to ensure they are operating with a current and valid Authority to Operate.”
Weaknesses were found in risk management, configuration management, IAM, security training, information security continuous monitoring, incident response, and contingency planning, OIG determined.
“Continued improvements were made by HHS in their enterprise-wide security program including adhering to security training procedures and updating policies and procedures,” report authors explained. “Further, HHS continues to work towards implementing a Department-wide Continuous Diagnostics and Mitigation (CDM) program coordinating with DHS.”
OIG specifically noted that the NIST Cybersecurity Framework can be greatly beneficial to HHS in its efforts to improve its risk management approach. NIST “provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle,” OIG said.
The HHS Office of the Chief Information Officer (OCIO) and three selected OPDIVs were found to have risk management policies and procedures that were either not finalized, reviewed, or updated. Additionally, two of the selected OPDIVs were lacking “an effective process to develop, maintain and report an inventory of software assets on the network.”
“Outdated risk and security documentation may not provide the appropriate current guidance and protection techniques for information systems, leading to increased risks for HHS,” OIG report authors wrote. “Without an effective hardware management process, there could be misuse of hardware assets for malicious purposes, threatening the operations and missions for respective OPDIVs.”
Effective programs also identify and define all system inventories, the report continued. System boundaries must be defined, software needs to be regularly updated, and software must be properly managed and patched. The found lack of accountability could also create additional attack vulnerabilities at HHS.
OIG recommended that the HHS OCIO implement “an integrated risk management program at the enterprise, business process, and information system levels that is consistent with OMB, NIST, and Department guidelines and requirements.”
HHS concurred with the risk management recommendations, saying that it will improve its software scanning and inventory capabilities for the enterprise. The agency added that “new tools, relevant policies, procedures, and guidance would be updated to reflect the new processes and capabilities that are consistent with OMB, NIST and Department guidelines and requirements.”
Similar to the 2017 report, OIG also stressed the need for improved IAM solutions. Information system access must be limited to authorized individuals, OIG stated. Organizations must “limit the types of transactions and functions that authorized users are permitted to perform based on the concept of least privilege.”
Account management procedures were not followed at two of the selected OPDIVs, OIG explained.
“This included monitoring and maintaining active and shared accounts, periodically reviewing users, enforcing resets of active network user account passwords, removing inactive accounts in a timely manner, and disabling accounts of transferred and terminated personnel in a timely manner,” report authors said.
IAM weaknesses and remote access management control weaknesses could increase the risk of inappropriate access to sensitive systems and information, OIG cautioned. Unauthorized network access can also lead to the loss, destruction, or misuse of sensitive data and resources.
HHS also concurred with OIG’s IAM findings. HHS said it would track mitigation, evaluate trends, identify common issues and assess if IAM policies and procedures “are adequate at both the Department and OPDIV level.”
Security training was also found to be lacking in certain areas, OIG found. Personnel at all levels must be trained to understand their own roles within an organization and also know all IT security policies, procedures, and practices. Staff members also need to “have adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.”
“Users who are unaware of their security responsibilities and/or have not received adequate security training may not be properly equipped to effectively perform their assigned duties and increase the risk of causing a computer security incident,” report authors wrote. “This could lead to the loss, destruction or misuse of sensitive Federal data assets.”
HHS concurred with the security training recommendations as well, and said it would track, mitigate, and evaluate those policies to ensure they remain adequate.