Health Reform WK-EDGE Flaws found in HHS information security program
Thursday, March 15, 2018

Flaws found in HHS information security program

By Matt Pavich, J.D.

The HHS Office of the Inspector General (OIG) has released a report detailing the HHS’ compliance with the Federal Information Security Modernization Act of 2014 (FISMA), which found that while HHS has continued to improve and implement changes intended to strengthen its information security program, weaknesses persisted in HHS’s approach to cybersecurity. HHS concurred with the recommendations and findings (OIG Report, March 6, 2018).

Background. The FY 2017 FISMA reporting metrics (risk management, configuration management, identity and access management, security training, information security continuous monitoring, incident response, and contingency planning) were organized around five Cybersecurity Framework functions (Identify, Protect, Detect, Respond, and Recover.) These metrics were intended to assess the effectiveness of the security program and used maturity levels ranging from 1-5, with 1 being the least effective. The OIG assigned a level 2, referring to policies and strategies that have been formalized but not consistently implemented, to four of the five function areas (Identify, Protect, Detect, and Recover) and a level 3, referring to consistently implemented, for the Respond function. The report provided detail on each of the five functions.

Identify. This function is intended to develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities and focuses heavily on risk management. The OIG found that at the Office of the Chief Information Officer (OCIO) and three of the selected operating divisions (OPDIVs), risk management policies and procedures had either not been finalized, reviewed or updated. Two OPDIVs lacked an effective process to develop, maintain and report an inventory of on the network’s software assets and one lacked a defined information security architecture integrated into its enterprise architecture to provide a disciplined and structured methodology for managing risk.

Another OPDIV lacked an automated mechanism that would help maintain an up-to-date, complete, and accurate information system inventory. One OPDIV saw discrepancies for system categorizations between the system inventory and security documentation and at another the network boundaries for FISMA systems were not defined in relevant documentation. Further, the review and approval processes for policies and procedures did not always incorporate HHS requirements to update and review these documents every three years. The OIG recommended that HHS continue to update its relevant policies and improve its risk management across various levels.

Protect. This function is intended to implement and develop safeguards to allow the HHS to limit or contain the impact of a cyberattack and involves configuration management, identity and access management, security training. The report instances of non-compliance with finalized configuration management policies and procedures at all four selected OPDIVs. At two, operating systems that a vendor no longer supported were installed on some assets and approved waivers had not been completed. At one, configuration management personnel did not track approvals, testing results, and migration dates within change management tracking tools. The OIG futher noted that some OPDIVs had failed to develop, define, or implement configuration management policies and procedures, putting information systems at risk. The OIG recommended implementation of CDM tools and RSA Archer across all top levels of the HHS.

The OIG also examined HHS procedures for limiting information access. It found that two OPDIVs failed to follow account management procedures, including monitoring, user reviews, and password resets. Two OPDIVs failed to issue personal identification verification cards to personnel. These failures increased risk of inappropriate access to the HHS network and the OIG provided detailed recommendations for fixing the issue.

The report also found flaws in the security training, noting that some personnel at three OPDIVs did not take the training and that two OPDIVs failed to track the security training status of employees and contractors.

Detect. This function is meant to create and implement ways to identify a cyberattack and employs an information security continuous monitoring (ISCM) program. Using such a program involves ongoing updates to the system. The report found that the OCIO does not know the effectiveness of its software scanning tools or the systems that are operational across the HHS environment. The report further found that at two OPDIVs, security control assessments failed to documents all controls and that at two OPDIVs, personnel were not fully in compliance and could not provide an inventory of all authorized and unauthorized devices and software on the network. These deficiencies left HHS exposed to high-risk threats and the OIG recommended that HHS enhance the ISCM program and implement inventory management tools to centrally track and report information systems.

Respond. This function focuses on implementation of responses to cyberattacks and the report found that a small number of incidents had not been reported. One OPDIV did not have a file integrity software program and one lacked 24/7 monitoring capabilities. OIG recommended implementing an adequate oversight protocol to ensure prompt reporting.

Recover. This function is intended to restore capabilities and services harmed by a cyberattack and relies heavily on contingency plan development. The report found that three OPDIvs did not document a system level Business Impact Analysis for some of the systems. Two OPDIVs did not have results or after-action reports showing that contingency plans for certain systems were tested annually. At one OPDIV, the Continuity of Operations and contingency plan documentations was incomplete and at two OPDIVs, the backup and restoration procedures were either ineffective or not performed for certain systems. OIG provided detailed recommendations to HHS.

MainStory: TopStory OIGReports NewsFeed AgencyNews HealthInformationTechnologyNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More