The Department of Health and Human Services spent $13 billion on information technology in 2016, far more than any other federal agency.
But HHS still hasn’t implemented security functions that the Government Accountability Office deems “effective.”
In a report (PDF) released Thursday, the GAO scored HHS’ ability to identify, detect, respond to and recover from a security incident at a Level 3, meaning cybersecurity policies, procedures and strategy are consistently implemented but the agency lacks quantitative and qualitative ways to measure the effectiveness of those policies. HHS’ ability to protect against cyberthreats was scored at a level two, meaning formalized policies and procedures are inconsistently implemented.
Level 4 and 5 ratings, where security functions are managed and measurable or optimized, are determined to be “effective” according to the GAO.
A report released by the Office of Inspector General earlier this year identified nine areas where HHS faces information security weaknesses, many of which had been identified before.
HHS isn’t alone. The GAO report highlighted IT security weaknesses in all 24 federal agencies it reviewed, particularly when it came to access control and security management. The majority of those agencies also struggled with configuration management, segregation of duties and contingency planning.
Gregory C. Wilshusen, director of information security issues at GAO, said patching is one area where federal agencies are particularly vulnerable. Although many have procedures for patch installation, it's rarely implemented in a timely manner.
"That is really a critical vulnerability since many cyberattacks are facilitated by the lack of patches installed in those systems," he said in a podcast accompanying the report.
According to the figures provided by HHS, the agency’s $13 billion IT tab was $1.65 billion over its budget in 2016. The agency’s total spending was more than twice as much as the agency with the second highest IT budget, the Department of Homeland Security, which spent $6.2 billion in 2016.
HHS devoted $373 million to IT security, representing just 3% of its total IT spending. The Department of Urban Housing and the Department of Transportation were the only agencies to spend a smaller percentage on security. On average, 23 agencies (excluding the Department of Defense) spent 8% on IT security in 2016.
But those numbers may be slightly skewed by the fact that the IT budget at HHS is driven largely by the CMS Medicaid Management Information System, which accounts for more than half of its annual spending. That system includes grant money that is siphoned off to states to update and manage their Medicaid IT systems.
Presumably, those states devote a portion of their budget to IT security. However, over the past year, the Office of Inspector General has identified inadequate IT security in six different states. In its most recent report, OIG reported that Alabama’s Medicaid system had “numerous significant system vulnerabilities” because of insufficient controls and oversight.