OIG: HHS Improves Security, Yet Flaws RemainList of Concerns Highlights Areas Others Should Scrutinize as Well
The Department of Health and Human Services continues to improve its information security program, but it needs to take steps to address a number of ongoing weaknesses and achieve a higher level of security maturity, according to a new watchdog agency report.
Many of the weaknesses identified at HHS - including configuration management and access management - also are common at many private-sector healthcare organizations and need to be addressed.
See Also: Workforce Authentication Authority
The HHS Office of Inspector General's new report, issued on March 6, is a fiscal 2017 review of HHS's compliance with the Federal Information Security Modernization Act of 2014.
OIG says that overall, HHS "has made improvements and continues to implement changes to strengthen its enterprisewide information security program, including adhering to security training procedures and updating policies and procedures." In addition, OIG notes that HHS continues to work toward implementing a departmentwide continuous diagnostics and mitigation program, "coordinating with the Department of Homeland Security."
Despite this progress, however, OIG identified continued weaknesses in several key areas, including risk management, configuration management, identity and access management, security training, information security continuous monitoring, incident response, and contigency planning.
"HHS needs to ensure that all [operating divisions] consistently review and remediate or address the risk presented by vulnerabilities discovered, consistently implement account management procedures, and accurately track systems to ensure they are operating with a current and valid Authorization to Operate, or ATO," the report notes. "Additionally, the department should configure newly implemented tools procured from DHS to address program missions and goals and address the root cause for risk, inventory and continuous monitoring concerns and deficiencies. These steps will strengthen the program and further enhance the HHS mission."
The report notes that the watchdog agency made a series of recommendations to HHS on how to enhance its information security controls as well as implement specific controls for its various operating divisions. HHS concurred with all of the OIG's recommendations and is taking action or making plans to implement them, the report notes.
OIG's FISMA review of HHS' information security program in fiscal 2016 noted areas of ongoing weaknesses similar to those in the latest review, including configuration management, ID and access management, risk management, incident response and, security training (see OIG: HHS Making Info Security Progress, But Still Has Gaps).
Risk Management Issues
The OIG report notes that HHS's risk management framework, as developed by National Institute of Standards and Technology, provides "a disciplined and structured process" that integrates information security and risk management activities into the system development life cycle.
"A risk management framework is the foundation on which an IT security program is developed and implemented by an entity. A risk management framework should include an assessment of management's long-term plans, documented goals and objectives of the entity, clearly defined roles and responsibilities for security management personnel, and prioritization of IT needs," OIG writes.
The watchdog agency noted some risk management concerns, including:
- At the HHS office of the CIO and three of the selected operating divisions, risk management policies and procedures were not finalized, reviewed or updated.
- At two of the selected operating divisions, there was not an effective process to develop, maintain and report an inventory of software assets on the network.
- At one operating division, there was not an automated mechanism employed to help maintain an up-to-date, complete, accurate and readily available inventory of information systems.
- At one division, there were discrepancies for system categorizations between the system inventory and security documentation.
- At another division, the network boundaries for FISMA systems were not defined in relevant documentation.
Many of the weaknesses spotlighted in the OIG report are far too common among private-sector healthcare organizations as well, says Tom Walsh, president of consulting firm tw-Security.
The three areas of vulnerability that are most troubling throughout the healthcare industry, Walsh says, are weaknesses in configuration management, access management and training.
Configuration management - in particular, not knowing with certainty what applications and systems that are part of the network, is particularly worrisome, he says. "It is tough to protect an enterprise when there is uncertainty as to what is on the network and its configuration level," he says.
"It is tough to protect an enterprise when there is uncertainty as to what is on the network and its configuration level."
—Tom Walsh of tw-Security
When it comes to access management, user provisioning - managing user access, especially for contractors - is another concern, he says. In addition, deficient training is a serious problem, especially when it comes to contractors and "tracking their security training status."
For user provisioning and training issues, Walsh says he emphasizes contractor risks, for several reasons.
"These individuals come and go and may not have the same vested interest in security as an employee," he says. "They may not understand HIPAA, FISMA and other regulatory requirements. They seldom let you know when their access to systems is no longer required. At least with employees, an organization can always check against the HR/payroll system as a stop-gap for removing or suspending a user's access privileges."
Lack of Documentation
Meanwhile, the OIG's review of HHS's information security program - including its risk management processes - also spotlighted another problem frequently identified at healthcare organizations: A lack of documentation.
"Downloading or buying pre-made policies and slapping your name on them does not make an organization compliant," Walsh says. "Say what you do. Do what you say. Policies, procedures, plans, risk analysis/management reports and plans all need to be periodically reviewed and updated. They are 'living documents' and not a 'one and done' type approach."