HHS' IT 'Strategic Plan' Spotlights Cybersecurity, PrivacyFour-Year Plan Includes Cyber Workforce Development
The Department of Health and Human Services' four-year information technology strategic plan includes a risk-based approach focused on improving security and privacy protections of HHS data and systems, more effectively preventing and responding to emerging threats, and beefing up HHS' cybersecurity-related workforce.
Some experts say many of the cybersecurity and privacy related goals set by HHS in its recently released plan should have a familiar ring to the goals that other healthcare sector organizations also have - or need to - set for their own entities.
"In many respects these are good goals for all organizations both private and public, but each should have a strategic set of goals that maps to their particular maturity profile," notes Mac McMillan, CEO of security consulting firm CynergisTek. "Baselines, interoperability, taking a risk-based approach, good governance - these are all important elements of a sound security program."
However, while some of the goals set by HHS are similar to what all healthcare sector organizations should strive for in general, "this is a specific strategic plan for a unique federal department. That is a lot different than private sector," notes Tom Walsh, CEO of consulting firm tw-Security.
"What we try to tell our customers - covered entities and business associates - strive for identification of threats and risks [through] risk analysis, and manage the risks to an appropriate level - no business runs risk-free - and strive for compliance to HIPAA, PCI, DSS, etc."
In the recently issued report outlining HHS' plan, HHS CIO Beth Anne Killoran notes that the IT strategic plan "serves as a roadmap, outlining several steps we are taking to improve performance and ensure effective implementation of HHS IT." The plan was developed under a collaborative effort across HHS' many operating divisions, she adds.
Killoran notes that the plan replaces the "HHS Information Resources Management Plan, 2014-2018," and is the first IT strategic plan issued by HHS since the enactment of the Federal Information Technology Acquisition Reform Act, or FITARA, which was signed into law in 2014.
HHS' plan includes an assessment of where the department stands with its use and management of IT and outlines a vision for how IT will improve the department at the end of the four-year planning period.
HHS identifies five strategic goals and related initiatives. Besides cybersecurity and privacy being among those top five strategic IT goals and initiatives, the other four areas of top focus include development of HHS' IT workforce; shared services; data interoperability and usability; and IT management.
The plan notes that with over $11 billion in IT spending annually, HHS employs "a robust risk management approach through improved asset management, robust threat and vulnerability analysis, and established response and recovery plans and procedures. This allows HHS to maintain its security posture, considering the integrated operations of HHS, consistent with its mission and business needs."
HHS' holistic risk management approach enables prioritization to ensure that critical data and information, such as personally identifiable information, personal health information and public health data, are protected according to the appropriate level of risk throughout the system or asset's lifecycle, the plan says.
The plan also notes that "through implementation of department-level programs to support ongoing identification, validation, and prioritization of cybersecurity risks, HHS enables cybersecurity personnel to mitigate the most significant problems first while limiting unnecessary costs."
Cybersecurity and Privacy Goals
HHS' specific cybersecurity and privacy related goals include:
- Protecting critical systems and data;
- Improving the security and privacy posture of data and information systems;
- Effectively preventing, monitoring and rapidly responding to emerging threats and vulnerabilities;
- Prioritizing cybersecurity investments through a risk-based approach.
As an example of an ongoing HHS effort to improve cybersecurity, the plan notes that in November 2015, HHS entered into an agreement with the Department of Homeland Security to implement DHS' Einstein 3 Accelerated intrusion protection and prevention capabilities. HHS has been further extending its implementation of Einstein 3A capabilities, the plan notes, including "bringing Domain Name Service components of this service online and is working to bring email protection online."
Beefing up Cybersecurity Skills
In terms of HHS' top goal related to workforce development, the plan notes HHS' aim of acquiring, deploying and sustaining a technology-enabled workforce. And an important part of that goal involves workforce development for cybersecurity competency at HHS.
"HHS has been using the National Institute of Standards and Technology National Initiative for Cybersecurity Education Framework Specialty Areas to identify IT and Cybersecurity competencies for IT and cybersecurity workforce development efforts," the report notes.
"The Department is currently assessing cybersecurity knowledge and skill requirements through a comprehensive IT Cybersecurity Workforce Development Program Pilot. This pilot is focused on developing training and workforce development tools and materials for each cybersecurity competency requirement for use by the broader IT workforce."
HHS is expanding on the pilot's approach to identify and define workforce requirements for its broader IT workforce.
"IT and cybersecurity career paths are being created for each IT and cybersecurity role category. These career paths will enable HHS to establish a manageable set of role definitions, competency models, and competency profiles that accurately reflect the requisite knowledge, skills, abilities and behaviors for successful job performance and mission achievement," the plan says.
HHS' plan appears to address some of the concerns spotlighted in a September 2016 Government Accountability Office report reviewing HHS cybersecurity of electronic health information, McMillan notes.
"The plan looks reasonable given the recent GAO report of deficiencies noted. I think the most important goal of their plan is the improvement of the security and privacy posture of its data and information systems. This was a major focus of [GAO's] assessment, and without a solid baseline other technologies will be less effective."
But are the HHS IT strategic plan's goals attainable?
"It's not easy achieving maturity in these areas, and it's a persistent pursuit because the environment, the threat, the technology, the business are all dynamic and subject to continuous change," he says. "Good security is a marathon, not a sprint."