Healthcare Information Security

Cybersecurity News

Risk-Based Cybersecurity Approach Key in HHS IT Strategic Plan

HHS released an IT strategic plan, focusing on a risk-based approach to cybersecurity and better threat and vulnerability management.

HHS focusing on cybersecurity imrovements in recent IT strategic plan.

Source: Thinkstock

By Elizabeth Snell

- Improving cybersecurity measures with a risk-based approach is a key component of the Department of Health and Human Services’ (HHS) recently released Information Technology Strategic Plan FY 2017-2020.

The plan is part of an HHS collaborative effort to fully realize all benefits of IT, HHS CIO Beth Anne Killoran explained in the report’s cover letter. As technology continues to evolve, IT must be properly used and managed, she said.

“New capabilities, including Application Programming Interfaces (APIs) and open source frameworks to support data exchange and business intelligence, ‘big data,’ and the ‘Internet of Things,’ manifest themselves in cloud-based Electronic Health Records, Telemedicine, Remote Patient Monitoring, and Wearable Technology. Modernizing core systems at HHS increasingly relies on these new digital technologies, fundamentally changing the way that information is created, preserved, and shared in more user-friendly and accessible ways,” Killoran wrote.

There are five key goals and initiatives that HHS said will help move the department forward:

The aim of cybersecurity and privacy is to protect critical systems and data, according to HHS.

“HHS employs a robust risk management approach through improved asset management, robust threat and vulnerability analysis, and established response and recovery plans and procedures,” the report’s authors explained. “This allows HHS to maintain its security posture, considering the integrated operations of HHS, consistent with its mission and business needs.”

Even so, HHS must improve the security and privacy posture of data and information systems and effectively prevent, monitor, and rapidly respond to emerging threats and vulnerabilities.

By improving the accuracy and coverage of IT assets, there can be better visibility to the potential cybersecurity targets, the report stated. Furthermore, IT leadership can evaluate the potential impact from any found vulnerabilities in the IT asset inventor.

Improved training programs and compliance rates for existing security programs will also be beneficial, and can also ensure that security can be built into systems.

“Improved governance and integrated technical capabilities empower HHS leadership to make risk-based decisions,” the report stated. “By partnering with the private sector and other Federal agencies, HHS further expands its access to lessons learned and best practices, and creates two way communication of emerging threats and vulnerabilities.”

HHS also underlined the importance of prioritizing cybersecurity through a risk-based approach. When the department can see the risk associated with each threat and vulnerability, then investments can be effectively implemented. This will reduce time and money spent on credible threats.

“Maintaining a register of prioritized threats, vulnerabilities, and risks that are regularly communicated to the [Operating Divisions (OpDivs)] enables cybersecurity and privacy protection investments to be focused across the OpDivs on the most important risks to the HHS enterprise,” the report’s authors said.  

HHS also discussed the benefits of Einstein intrusion protection and prevention. The HHS Office of Information Security (OIS) previously entered into an agreement to implement Einstein 3 Accelerated (E3A) capabilities at the Washington DC and Atlanta Trusted Internet Connection locations.

Einstein offers intrusion protection and prevention for all executive branch civilian agencies, HHS explained.

“The E3A service is the latest iteration that adds automated blocking of malicious Domain Name Service (DNS) and email traffic to its capabilities,” according to the report. “E3A improves existing DNS blocking and email scanning services through the implementation of classified indicators unavailable to commercial providers.”

Additionally, all outbound DNS requests will be “routed through the E3A servers while still maintaining the required level of responsiveness and availability given current and future traffic volumes.”

HHS concluded that it is going through a digital transformation, and its interactions with private sector customers and partners may fundamentally shift.

“These changes include a focus on shared services, customer-centric operations, and mobile services,” the report authors wrote. “This shift means users and partners will have confidence in the timeliness, integrity, and security of the data they receive and its availability on a variety of platforms and devices.” 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks