OIG: HHS Making Info Security Progress, But Still Has GapsExperts Say Same Weaknesses Are Common at Healthcare Entities
The Department of Health and Human Services is making progress in improving its information security practices, but it still has gaps that put sensitive data and systems at risk of compromise, according to a new federal watchdog agency report.
Many of the ongoing HHS security weaknesses identified in the HHS Office of Inspector General's ' fiscal 2016 review of HHS compliance with the Federal Information Security Modernization Act of 2014 - including those related to continuous monitoring, configuration management and identity and access management - are also common at many healthcare organizations, some security experts say.
"These issues are found throughout healthcare, but primarily in organizations that do not have a disciplined approach to security," says Mac McMillan, CEO of the security consulting firm CynergisTek. "What we are talking about here are processes. These are not problems that are solved by technology alone or by people per se, but by disciplined application of procedure and accountability through continuous audit."
Good News, Bad News
The OIG report notes that overall, in comparison to its FISMA review of HHS a year ago, the agency has made improvements, with the number of negative findings declining.
"In addition, HHS and its operating divisions ... have implemented continuous monitoring tools that have allowed them to gain more insight to the security compliance of their assets," the report says. "HHS continues to implement changes to strengthen its enterprisewide information security program."
For instance, HHS has formalized its information security continuous monitoring program, OIG notes. HHS continues to work toward implementing a departmentwide monitoring program in coordination with the Department of Homeland Security and is working on the real-time monitoring of security controls, OIG notes.
Yet, despite HHS' progress in improving its information security program, "opportunities to strengthen the overall information security program exist," the report notes. "We continued to identify weaknesses in the following areas: continuous monitoring, configuration management, ID and access management, risk management, incident response, security training, contingency planning and contractor systems."
Exploitation of weaknesses identified could result in unauthorized access to, and disclosure of, sensitive information and disruption of critical operations at HHS, OIG reports. "As a result, we believe the weaknesses could potentially compromise the confidentiality, integrity and availability of HHS' sensitive information and information systems."
OIG says HHS needs to ensure that all its units consistently review and remediate the risks presented by vulnerabilities discovered, consistently implement account management procedures, and accurately track systems to ensure they are operating with a current and valid "authority to operate."
OIG also recommends that HHS enhance its departmentwide continuous monitoring program and provide guidance and tools to each of its operating divisions on the implementation of their monitoring programs.
HHS, in its response included in the report, says its office of the CIO concurred with the OIG's findings and recommendations.
Like HHS, many healthcare organizations face challenges with real-time monitoring.
"I'd say many are in the same place that HHS is, but some are actually beginning to do a much better job," McMillan says. "Implementing the tool or the technology is the easy part; addressing what you learn is harder. Again, organizations that have well-developed procedures for executing these processes will be more effective and achieving progress."
Real-time monitoring is a necessity," says Keith Fricke, principle consultant at tw-Security. "Hundreds or thousands of digital events take place in an organization's computing environment every minute. Identifying events of concern amidst that volume is not possible for IT staff to do manually. You can't respond, contain and remediate these bad events if you can't detect them in the first place. "
McMillan notes that although monitoring of controls is a critical component of an effective cybersecurity defense, "information without processes or remediation are just noise. We need the tools to tell us where the opportunities for improvement are; we need discipline and process to execute."
Many of the other HHS weaknesses cited by OIG are also challenges for healthcare organizations, Fricke adds.
"Continuous monitoring, IAM, and contingency planning are probably the most costly of the ones on the list to implement and maintain, but are necessary, nonetheless," he says. "Risk management, security training and configuration management can be addressed at reasonable costs.
These are common weaknesses throughout the healthcare sector, Fricke says. "Larger healthcare organizations may not struggle as much as smaller organizations to meet all these areas of security practices, as they have budgets and staff to support efforts to comply," he adds.