Audit: HHS Info Security Program 'Not Effective'What Can Healthcare Entities Learn From HHS OIG Report?
The Department of Health and Human Services' information security program has received a "not effective" rating as a result of several weaknesses found in an annual review of compliance with the Federal Information Security Management Act of 2014.
The HHS Office of Inspector General report is based on an audit conducted last year by Ernst & Young LLP, which reviewed HHS' compliance with FISMA during fiscal 2018.
The report notes that while HHS is making an effort to strengthen its enterprisewide information security program, several areas of weakness dragged down HHS' overall rating - including some areas where security worsened compared to the previous year.
"Based on the results of our evaluation, we determined that HHS' information security program was 'not effective' as it did not meet the 'managed and measurable' level in the following functional areas: identify, protect, detect, respond and recover."
Attaining a "managed and measurable" maturity level is dependent on the full implementation of a continuous diagnostics and mitigation program, or CDM, OIG writes.
"HHS continues to work toward implementing a departmentwide CDM program in coordination with the Department of Homeland Security to include continuous monitoring of its networks and systems, documenting operating divisions' progress to address and implement strategies and reporting its progress through DHS dashboards," OIG writes.
Five Key Weaknesses
The OIG report notes that auditors found weaknesses in five key cybersecurity framework areas, including:
- Risk management;
- Configuration management; identity and access management; data protection and privacy; and security training;
- Information security continuous monitoring;
- Incident response;
- Contigency planning.
"Through the full implementation of the CDM program, HHS hopes to gain ongoing, data-driven insights into cyber risks and achieve managed and measurable maturity levels across the cybersecurity framework functions," OIG writes. "However, we have identified some opportunities that will strengthen the overall information security program, which should allow HHS to achieve a higher level of maturity for each domain and function."
HHS needs to continue to build a working model "where all the functional areas interact with each other in real time and provide holistic and coordinated responses to security events," according to the report. This can be achieved, OIG writes, "as HHS deploys the CDM tools and continues to modernize its IT processes and optimize their security controls as a result of the data generated and monitored by the CDM tools.
Lessons to Learn
Healthcare organizations can learn lessons from the HHS watchdog report, including that cybersecurity efforts should never really be considered finished and compliance with regulatory requirements and benchmarks can be a moving target, says Susan Lucci, senior privacy and security consultant at tw-Security.
"In healthcare, simply establishing a compliance program to meet regulatory requirements is a misguided end goal," Lucci says.
"This audit is a wake-up call that covered entities and business associates should be seeking a higher level of maturity" in every security domain, she adds.
"Breaches continue to happen despite having a good program in place. If organizations aren't continually evaluating the current program's efficacy and making modifications to policies, processes and training, then complacency can set in and incidents will continue to occur."
OIG made several recommendations to HHS on how it can address the weaknesses identified by auditors. For example, OIG says HHS should:
- Develop an approach to ensure that CDM tools, and also security governance, risk management, and compliance - or SGRC - tools and associated processes are implemented at all operating divisions for the integration of risk management programs at the enterprise, business process and information system levels.
- Work with operating divisions to leverage qualitative and quantitative performance measures to determine the effectiveness of the divisions' configuration management plans. These measures should be based on results from automated toolsets.
- Work with operating divisions to determine the effectiveness of identity and access management processes. These measures should monitor operating divisions' implementation of strong authentication techniques.
- Work with operating divisions to measure the effectiveness of privacy-specific controls and training.
- Provide departmentwide guidance and DHS-supplied CDM tools to each operating division for the implementation of information security continuous monitoring programs. This should include periodic reporting requirements and metrics to monitor real-time threats identified by the computer security incident response center.
The report notes that the HHS office of the chief information officer concurred with all of OIG's recommendations and described actions it has taken or plans to take to implement them.