Health Law Daily Continuous improvement the prescription for HHS’s information security program
News
Thursday, March 2, 2017

Continuous improvement the prescription for HHS’s information security program

The HHS Office of Inspector General (OIG) highlighted the successes of HHS’s compliance with the Federal Information Security Modernization Act of 2014 (FISMA) (P.L. 107-347), but noted that there are opportunities for improvement in the department’s information security program relating to areas such as continuous monitoring and risk management. The OIG recommended enhanced guidance and tools to further strengthen the security surrounding HHS’s information technology (OIG Report, A-18-16-30350, March 1, 2017).

FISMA. FISMA provides a comprehensive framework for ensuring the effectiveness of information security controls over resources supporting federal operations and assets. It also provides a mechanism for improving the oversight of federal agency information security programs. Amendments to the law include the reestablishment of oversight authority of the Director of the Office of Management and Budget (OMB) over agency information security policies and practices and establishment of authority for the Secretary of the Department of Homeland Security (DHS) to administer the implementation of those policies and practices.

Evaluations under FISMA. The OMB, DHS, and the Council of Inspectors General on Integrity and Efficiency developed FISMA reporting metrics requiring inspectors general to perform an annual independent evaluation of the information security program and practices to determine effectiveness. The evaluation includes testing of the effectiveness of information security policies, procedures, and practices as a subset of the agency’s information systems and an assessment of the effectiveness of the information security policies, procedures, and practices of the agency.

Findings. As a result of its 2016 evaluation, the OIG found that, overall, HHS has made improvements. The number of negative findings is decreasing annually, and HHS has implemented continuous monitoring tools that have allowed it more insight into the security compliance of its assets. Furthermore, HHS formalized its Information Security Continuous Monitoring program, and is working with DHS to put tools into place that focus on real-time monitoring of systems controls.

Opportunities exist, however, to strengthen the overall information security program. The OIG continued to identify weaknesses in the following:

  • continuous monitoring: the ability of an organization to maintain the security authorization of an information system over time in a dynamic environment with changing threats, vulnerabilities, technologies, and business processes;
  • configuration management: activities that pertain to the operations, administration, maintenance, and configuration of networked systems and their security posture;
  • identity and access management: procedures that limit information system access to authorized individuals and limit the transactions and functions to those users are permitted to perform;
  • risk management: a disciplined and structured process that integrates information security and risk management activities into the system development life cycle;
  • incident response: activities that capture general threats and incidents that occur in the HHS system and physical environment;
  • security training: allows personnel to understand their roles and responsibilities, understand the organization’s IT security structure, and have adequate knowledge of the controls required and available to protect IT resources for which they are responsible;
  • plan of action and milestones: required for an effective risk management program;
  • contingency planning: a coordinated strategy involving plans, procedures, and technical measures to enable the recovery of business operations, information systems, and data after a disruption; and
  • oversight of contractor systems: necessary to assess that companies and individuals working with the agency are following the same security requirements as federal agencies and employees.

These weaknesses could result in unauthorized access to and disclosure of sensitive information and disruption of critical operations at HHS, compromising the confidentiality, integrity, and availability of HHS’ sensitive information and information systems.

Recommendations and response. The OIG recommended that HHS further strengthen its information security program as related to the evaluation’s findings. HHS concurred with all of the OIG’s recommendations.

MainStory: TopStory OIGReports AuditNews CyberPrivacyFeed HITNews RiskNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More