HHS Considers Security Cost-CuttingGAO Report Finds Potential Security Effort Duplication
The Department of Health and Human Services is conducting a review to identify potential opportunities for consolidating various information security activities to cut costs. The effort was revealed in a new Government Accountability Office report that points out potentially duplicative multi-million-dollar IT investments at HHS to support enterprise security.
HHS, in a statement to Information Security Media Group, says: "HHS is in the process of reviewing the investments in light of the GAO report but cannot speculate on the outcome of the review."
In its report, Information Technology: Key Federal Agencies Need to Address Potentially Duplicative Investments, the GAO explains that it reviewed 590 IT investments at HHS, the Department of Homeland Security and the Defense Department, identifying 12 potentially duplicative investments that might have been avoidable.
These 12 investments accounted for about $321 million in spending for fiscal years 2008 through 2013. In total, the U.S. government's 26 key agencies spend about $80 billion annually on IT, says David Powner, author of the report and director of IT management at GAO.
Of the 12 investments, half were at HHS, totaling approximately $260 million. Those six investments included four totaling $257 million that support enterprise information security. The other two duplicative HHS investments were related to Medicare coverage determination.
Of the three agencies examined for duplicative IT spending, HHS was the only one GAO identified as having duplicative IT investments related to security, Powner tells Information Security Media Group.
HHS programs with potentially duplicative enterprise security investments include the Centers for Medicare and Medicaid Services' Center for Consumer Information & Insurance Oversight; Indian Health Services; the Health Resources and Services Administration; and HHS Secure One, an enterprisewide IT security program.
Although Powner could not provide specific examples of security technologies or products that may be duplicated across those four HHS units, he says a GAO review of the descriptions of those HHS programs showed investments "that look similar across the agency."
Ways to Eliminate Duplication
HHS needs to analyze whether any of its security investments in those four enterprise programs "can be leveraged by the others or consolidated," Powner says.
Though a written response from HHS is not included in the report, Powner says HHS sent an e-mail response to GAO. The report notes that HHS responded: "Although the information security investments appear to be duplicative on the surface, these investments are not analogous to a system but, rather, fund information security functions, such as personnel, policy and oversight for each component."
The report adds: "Nonetheless, HHS officials stated that the department is currently conducting a review, to be completed by September 2013, to identify opportunities for consolidation of information security activities across its components."
The report also notes that HHS "plans to use the Chief Information Security Officer Council to gather uniform toolsets that can be used across the department to improve efficiencies."
The GAO report provides visibility into the departmental and agency spending, says Patricia Titus, former chief information security officer at the Department of Homeland Security's Transportation Security Administration. In the past five to seven years there's been a huge push for consolidation of federal information systems, she explains.
"However, some systems cannot be consolidated without huge investments," she adds. "Another possible contributing factor is that not all systems have the exact same security controls, and merging the systems together can mean a degradation of data protection. In these cases, it is important for the department to properly document why duplicative systems are necessary."
But duplication of investment needs to be closely evaluated even if units within an organization believe they've got unique needs, says Hord Tipton, executive director at (ISC)Â², an IT security professional certification organization.
"Everyone wants their own special toys and systems," he says. "Compliance with established architectures will always be difficult."
Reviews such as the study GAO conducted are beneficial, Tipton says. "All [federal] agencies are required to have an Office of Management and Budgets-approved architecture," he notes. "One must determine if an agency is actually following their architecture. Sometimes audits are helpful."
The GAO report also found that the Department of Homeland Security has two potentially duplicative investments supporting immigration enforcement booking management, which includes the processing of apprehended illegal aliens suspected of committing criminal violations of immigration law, the report says.
At the Defense Department, four potentially duplicative investments include two investments for tracking healthcare status of war fighters, one of which has been canceled, and two investments for managing manage dental care, according to the report.
Improved portfolio management and governance might help all government agencies get a better handle on whether investments can be consolidated or better leveraged, Powner says.
"Sometimes there are unique requirements for some efforts, and that might be legit," he says. "But let's take a look and see."
The issues faced by the federal agencies aren't that different from other sectors, Titus says. "HHS is very similar to a large corporation with many business units or a company that has grown through mergers and acquisitions. Collapsing systems and converging data may actually come at a higher cost than to maintain separate systems," she notes.
Titus also notes that some security-related investments are more difficult to consolidate or broaden.
"Compliance reporting requirements are one area that is very difficult to stretch or not duplicate," she says. "Each agency has to report certain metrics to the department for proper oversight. Unfortunately this can drain a stretched-thin security program. We have to find a better way for organizations to invest in operationalizing security standards rather than spending all their money worrying about reporting. It's a little 'chicken and egg' I'm afraid."
Nonetheless, Titus says that there are steps HHS can take to squeeze value out of its security investments. "HHS needs to have a strong IT security strategy which will lay out the roadmap to eliminate duplicative requirements," she says. "I'm certain some private-sector CISOs could provide some lessons learned from how they've handled the same problem in their own companies."