One year after the Office of the Inspector General (OIG) identified 10 cybersecurity weaknesses within the Department of Health and Human Services, an updated report repeated many of those same weaknesses almost word-for-word.
An audit evaluating the health agency’s compliance with the Federal Information Security Modernization Act of 2014 (FISMA) found that although the number of findings decreased compared to the previous year, compliance gaps remain when it comes to continuous monitoring, access management, security training and contractor systems, all of which were identified in last year’s review. The report underscores the persistent cybersecurity compliance gaps that have plagued the agency since FISMA was amended three years ago.
Auditors with Ernst & Young, which performed the audit on behalf of OIG, highlighted nine areas in which HHS still faced information security weaknesses despite incremental improvements. For example, auditors noted that HHS has improved continuous monitoring systems by formalizing a program and working toward a real-time monitoring system based on guidance from the Department of Homeland Security. However, operating divisions within HHS had not fully adhered to the program, leaving broad security vulnerabilities.
The same concerns were echoed throughout the report regarding several other security systems mandated under FISMA:
- Configuration management systems were broadly addressed by HHS, but several operating divisions had not updated policies and procedures tied to software and patch management.
- Divisions of HHS failed to comply with procedures to manage user access, increasing “the risk of inappropriate access to the HHS network.”
- Incidents within two divisions of HHS were not reported to the agency’s incident response center in a timely manner, highlighting concerns about response mechanisms.
- HHS did not consistently implement the National Institute of Standards and Technology’s (NIST) risk-management framework, leaving the agency vulnerable to unauthorized access.
- Security training policies have not been updated in three years, and new hires did not always receive security training.
- Action plans often included completion dates that were past due or failed to include cost requirements.
“Exploitation of weaknesses we identified could result in unauthorized access to, and disclosure of, sensitive information and disruption of critical operations at HHS,” the report stated. “As a result, we believe the weaknesses could potentially compromise the confidentiality, integrity, and availability of HHS’ sensitive information and information systems.”
HHS has been repeatedly criticized for its lack of security oversight, although HHS CIO Beth Anne Killoran emphasized several cybersecurity priorities following the release of the agency’s IT strategic plan in September.