More security vulnerabilities cited within HHS

Many of the same problems found in a recent audit of the Health Resources and Services Administration (HRSA) also exist at the Information Technology Infrastructure and Operations (ITIO) office, according to a report published by the Office of Inspector General for the Health and Human Services Department.

Both are part of HHS. The Information Technology Infrastructure and Operations office provides enterprise network and security infrastructure services for various divisions within HHS, including the secretary's office and headquarters. These services are performed by a contractor overseen by ITIO.

OIG staff interviewed ITIO's security and IT staff, reviewed policies and procedures and tested controls in place at ITIO and selected operating divisions.

It found six categories of vulnerabilities:

  • Ineffectively tracking and managing IT inventory
  • Inadequate patch management that could allow hackers into critical data
  • Ineffective antivirus monitoring
  • Lack of policies and procedures to manage USB port control access
  • Lack of a standard configuration management program that ensures that all the devices it manages are configured properly
  • Insufficient reviews of its logical access control process

The first four problems also were found at HRSA, while instead of the last two, it criticized that unit for inconsistently applying encryption policies and inconsistently reviewing Active Directory accounts.

The report does not go into specifics, citing their sensitive nature, but calls on ITIO to address these issues.

OIG told state Medicaid agencies that they must make information security a priority in a 2014 report after it found high-risk vulnerabilities in 10 state agencies.

It recently reported, however, that gaps in Medicare contractors' information security programs decreased in 2013 from the year prior. The most gaps, according to the report, were in policies and procedures; periodic testing of information security controls; and incident detection.

The Government Accountability Office in a report last month said federal agencies, including Veterans Affairs, need to do more to protect their systems against persistent cyberthreats, including overseeing contractors.

To learn more:
- find the ITIO audit report (.pdf)