Business Continuity Management / Disaster Recovery , Governance & Risk Management
HHS Information Security Program Still 'Not Effective'Audit Again Cites Contingency Planning Weaknesses
Yet another audit has given the Department of Health and Human Services information security program a "not effective" rating for several issues, including contingency planning weaknesses in operating divisions.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
An HHS Office of Inspector General report issued last week is based on an audit conducted last year by Ernst & Young LLP, which reviewed the department's compliance with the Federal Information Security Modernization Act of 2014 during fiscal 2020.
The HHS information security program also was rated "not effective" in audits conducted in fiscal 2019 and fiscal 2018.
In each of the three most recent audits, contingency planning - a critical part of the "recover" functions assessed for FISMA compliance - was found deficient in several HHS operating divisions.
“The goal of the recover function is to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event," OIG writes. "The recover function supports timely recovery to normal operations to reduce the impact from a cybersecurity event."
Some Progress, But Not Enough?
In its latest report, HHS OIG notes that HHS overall "continues to implement changes to strengthen the maturity of its enterprisewide cybersecurity program."
Progress continues to be made to sustain cybersecurity maturity across all FISMA domains, with the most notable increased maturation in data protection and privacy and information systems continuous monitoring, the report states.
"The 'gaps' look very similar to what we see across the sector."
—David Finn, CynergisTek
The report notes, however, that “HHS and its operating divisions have not consistently implemented its contingency planning functions; therefore HHS's contingency planning program is not effective."
Areas of Weakness
Examples of inconsistent or deficient contingency planning highlighted in the new report include:
- Four operating divisions have not allocated resources in a risk-based manner for stakeholders to effectively implement system contingency planning activities.
- Four operating divisions did not employ automated mechanisms to thoroughly and effectively test system contingency plans.
- Four operating divisions did not incorporate the results of organizational and system-level business impact analysis into strategy and do not plan development efforts consistently.
- Two operating divisions did not communicate to relevant stakeholders the metrics on the effectiveness of recovery activities and did not ensure that the data supporting the metrics was obtained accurately, consistently and in a reproducible format.
- Two operating divisions did not consistently implement their processes, strategies and technologies for information system backup and storage, including the use of alternate storage and processing sites.
- One operating division did not manage its information and communications technology supply chain risks related to contingency planning activities.
The report provides several recommendations for HHS to strengthen its overall information security program. For example, it notes that HHS should "develop a process to ensure information system contingency plans are developed, maintained and integrated with other continuity requirements by information systems."
OIG notes that HHS concurred with 11 recommendations and did not concur with two recommendations.
HHS did not immediately respond to Information Security Media Group's request for comment on the report.
In addition to contingency planning shortcomings, the report noted issues in several other areas, including identity and access management as well as incident response.
For instance, the report noted that one operating division was unable to provide evidence of periodic review and adjustment of privileged user accounts and permissions.
Meanwhile, OIG noted that the department's incident response process to determine whether an event should be declared a “major incident” based on all of the criteria defined by Office of Management and Budget should be enhanced.
"Specifically, the process did not determine whether the incident had or may have had a perceived or actual impact to the American people’s public confidence in U.S. government systems, their civil liberties or their public health and safety," the report noted.
Some experts note that the weaknesses OIG cited in HHS contingency planning are akin to challenges faced by private sector healthcare entities.
"The 'gaps' look very similar to what we see across the sector," says former healthcare CIO David Finn, an executive vice president at security consulting firm CynergisTek.
"There is a long history of businesses that no longer exist because of inadequate contingency planning."
—Tom Walsh, tw-Security
Ransomware attacks have shown the importance of testing backup strategies, technologies and processes and having alternate storage and processing sites ready to deploy in the event of a shutdown, he says.
"Everyone needs to test or exercise those contingency plans on some regular basis at the enterprise level. And, most importantly, they need to take the lessons learned in those exercises and 'upgrade' contingency plans," he says.
Tom Walsh, founder of consulting firm tw-Security, says "resiliency equals survival." He adds: "There is a long history of businesses that no longer exist because of inadequate contingency planning - or worse, those who mistakenly thought, 'it won’t happen to me,' and did not even take basic precautions to protect themselves."
Two common contingency planning issues beleaguer most organizations, according to Walsh.
"IT staff have a reputation for being poor at documentation," he notes. And accuracy is a problem as well. "Things are always changing, especially in larger organizations. Even a well-written contingency plan can become quickly outdated," he says.
And if an organization does not practice carrying out its contingency plan, it's not fully prepared, Walsh notes. "Practicing prepares the entire team for a more coordinated, well-communicated approach to recovery. The IT department cannot do this alone."