The U.S Department of Health and Human Services’ Office of Inspector General (OIG) released its yearly evaluation of the HHS to ascertain compliance with the Federal Information Security Management Act of 2014 (FISMA).
Ernst & Young LLP conducted an audit of the HHS information security program in 2018 for OIG. The audit revealed a number of security flaws in the HHS information security program, which include the deterioration of security in some areas compared to 2017. Because of those issues, the HHS information security program was found “not effective.”
OIG remarks in its review that the HHS exerted efforts to reinforce security throughout the entire agency, however overall, there was insufficient efforts to boost the maturity level of the information security program to a level that is ‘managed and measurable’ in these five cybersecurity framework zones: Identify, protect, detect, respond, and recover.
So as to achieve the managed and measurable level, the HHS needs to employ an ongoing diagnostics and mitigation (CDM) program. In this regard, there is some progress attained by the HHS and together with the Department of Homeland Security, networks and computer systems are constantly monitored. There is progress documentation as well to meet its goals.
By means of the CDM program, the HHS can make its information security program achieve a higher level of maturity for years in the future. However, at present, the eight major areas throughout the five cybersecurity framework function areas have a number of weaknesses:
- Identify: Risk management
- Protect: Data protection and privacy; configuration management; security training; and identity and access management
- Detect: Information security constant monitoring;
- Respond: Incident response
- Recover: Contingency planning
OIG discovered that the HHS performed better in the Identify and Protect areas, however its maturity rating diminished in the Respond area.
HHS must keep building to attain a working model where there is real-time interaction in all the functional areas and give holistic and synchronized responses to security situations. This can be accomplished as HHS uses the CDM tools, continues to innovate their IT processes and improve their security controls, by using the monitored and generated data by the CDM tools.
OIG offered a number of recommendations regarding the strengthening of the HHS’ information security program and augmentation of security at particular operating divisions.
The HHS agreed with all of the recommendations of OIG and gave a comprehensive plan on the implementation of the recommendations.