OIG: HHS InfoSec Weaknesses Need AttentionNew Audit Report Spotlights Long List of Trouble Spots
The Department of Health and Human Services has taken steps to improve its overall information security but still has a long list of weaknesses, including identity and access management and incident response shortcomings, that need more attention, according to a federal watchdog agency's audit.
The HHS Office of Inspector General's audit report, issued March 7, was based on an audit performed by the consulting firm Ernst & Young LLP that reviewed HHS' compliance with the Federal Information Security Modernization Act of 2014, or FISMA, as of Sept. 30, 2015.
In listing HHS' security shortcomings, the report notes: "Exploitation of these weaknesses could result in unauthorized access to, and disclosure of, sensitive information and disruption of critical operations for HHS. As a result, we believe the weaknesses could potentially compromise the confidentiality, integrity, and availability of HHS' sensitive information and information systems."
Among the HHS operating divisions examined in the audit were the Administration for Children and Families, Centers for Medicare and Medicaid Services, Indian Health Service, National Institutes of Health and the Office of the Secretary.
A Critical Step
Having a solid incident response plan combined with strong continuous monitoring is critical not only for government entities, but for all organizations within the healthcare sector, security experts say.
"You need to understand your network traffic, and be watching for certain things proactively, and as soon as you see something, you investigate," said Dave Summit, director of information security at Moffitt Cancer Center in Tampa, Fla. during a session last week at the HIMSS 2016 Conference in Las Vegas. "You need to catch and stop incidents from progressing."
Incident response is also a common weak spot among other organizations that OIG has scrutinized. For instance, based on an OIG report released in April 2015, incident detection, reporting and response were among the top three areas where compliance gaps were found in fiscal 2013 when OIG reviewed information security of nine Medicare contractors (see OIG: Medicare Contractors Have Infosec Gaps).
Among information security activities that still need improvement at HHS and some of its operating divisions, according to the new audit report, are:
- Incident Response and Reporting: Oversight processes had not been implemented by HHS to enforce incident response and reporting procedures at its operating divisions.
- Identity and Access Management: Some HHS operating divisions did not consistently implement account management procedures for shared accounts, new personnel, transferred personnel and terminated personnel.
- Continuous Monitoring Management: HHS has not fully implemented a department-wide, continuous monitoring program that includes updating and finalizing policies and procedures indicating how its operating divisions address and implement strategies, and report on DHS metrics. This includes vulnerability management, software assurance, information management, patch management, license management, event management, malware detection, asset management and network management.
- Configuration Management:: Some HHS operating divisions did not consistently review and remediate or address the risk presented by vulnerabilities discovered in configuration baseline compliance and vulnerability scans.
- Risk Management: HHS did not implement procedures to oversee that system inventories are complete, accurate and effectively managed, including reconciling to the operating division-managed system inventory tools.
- Security Training: Some operating divisions did not monitor the completion of role-based training for significant security responsibilities and other security training for personnel using IT systems.
- Plan of Action and Milestones: These were not consistently documented and tracked by HHS and its operating divisions.
- Remote Access Management: Some operating divisions had not developed formal and finalized remote access policies and procedures.
- Contingency Planning: Some divisions did not complete required contingency planning documentation, including business impact analysis, continuity of operation plans, and information system contingency plans.
- Contractor Systems: Some operating divisions did not have an effective contractor oversight protocols.
The report does not identify which of the examined divisions had the various weaknesses.
Mac McMillan, CEO of the security consulting firm CynergisTek, says some of the shortcomings highlighted by OIG are common problems at healthcare entities in the private sector.
"Many of the areas identified here are often seen in the private sector as well, but far and away the most prevalent are the inconsistency in training, lack of implemented standards, weakness in detection and solid actionable recovery plans and procedures," he says.
Nonetheless, each of the HHS problems identified by OIG are troubling, he adds. "All of the issues identified are interdependent upon one another for good overall security and the ability to detect, respond and recover effectively from an incident. You can't really single out one or two of them and say these are most important," he says. "This is the biggest problem we have in healthcare today with respect to security. There are no shortcuts here."
The report lists a series of general recommendations that HHS and its operating divisions should implement to address the weaknesses and "further strengthen its information security program."
Among the recommendations, OIG says HHS should:
- Implement an oversight protocol to monitor the operating divisions' timely reporting of incidents to the appropriate parties. Also, monitor that the policies and procedures for incident response developed at the operating divisions are reviewed and updated on an annual basis.
- Enhance its information security continuous monitoring program and continue to provide department-wide guidance to each operating division on the implementation of their programs.
- To improve risk management, perform a detailed reconciliation with the HHS system inventory and each operating division system inventory on a monthly basis. Also, provide guidance to the operating divisions on implementing a risk management program that is consistent with the HHS and National Institute of Standards and Technology guidelines.
- Perform a formal reconciliation with HHS' plan of action and milestones and each operating divisions' plan of action and milestones on a monthly basis.
- Implement an oversight protocol to monitor the operating divisions' timely reporting of incidents to the appropriate parties.
In addition, OIG said it made a list of specific recommendations to leaders of the various HHS operating divisions to address the other weaknesses.
In its response to the audit included in the report, HHS said it concurred or partially concurred with all of the recommendations and described actions it has taken and plans to take to implement them.
For instance, HHS says its office of the chief information officer "will review all the information and determine if additional or updated enterprise identity and access management policies and/or procedures would assist the operating divisions."
Also, regarding incident response, HHS notes that starting in 2016, it is scheduled to complete two incident response plan tabletop exercises per year with each operating division, "where [the divisions'] policies, procedures and plans are tested to ensure that they are up-to-date, effective and in compliance with U.S. Computer Emergency Readiness Team, HHS OCIO, and other federal guidelines."
HHS did not immediately respond to Information Security Media Group's request for comment on the latest report.