OIG: HHS shows improvement on security program, but needs to do more

The U.S. Department of Health and Human Services made improvements last year in compliance with the Federal Information Security Modernization Act of 2014 (FISMA), but needs to do more, according to a report from the Office of the Inspector General (OIG).

"Exploitation of these [remaining] weaknesses could result in unauthorized access to, and disclosure of, sensitive information and disruption of critical operations for HHS," the report states.

The OIG outlined 10 areas where it recommended improvements, including:

  • Continuous monitoring management: Though  HHS has developed policies and procedures for continuous monitoring, that program has not been fully implemented department-wide. The program includes vulnerability management, patch management, malware detection, network management and more.
  • Identity and access management: Some operating divisions have not been consistently implemented account management procedures for shared accounts and for new, transferred and terminated personnel.
  • Security training: Some divisions did not monitor completion of role-based security training.
  • Remote-access management: Some divisions had not developed formal and finalized remote-access policies and procedures.
  • Contractor systems: Some divisions did not have effective contractor oversight protocols.

HHS said in response that it is waiting for further guidance from the Department of Homeland Security on fully implementing its continuous monitoring program.

A previous OIG report found some of the same problems within HHS' Health Resources and Services Administration (HRSA) and Information Technology Infrastructure and Operations (ITIO) office, including ineffective patch management, antivirus monitoring and reviews of access control process.

President Obama requested a 23 percent budget increase for the department this year, in part due to the increase in cyberthreats.

To learn more:
- here's the report (.pdf)