October 19, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

October 17, 2019

Subscribe to Latest Legal News and Analysis

October 16, 2019

Subscribe to Latest Legal News and Analysis

HHS Information Security Program Deemed ‘Not Effective’

There was, unfortunately, some bleak news out of the Department of Health & Human Services, (HHS) Office of the Inspector General (OIG) recently. The OIG recently released the results of a performance audit of the HHS’ compliance with the Federal Information Security Modernization Act of 2014 (FISMA). The OIG Report states that FISMA requires that there be an annual independent evaluation of the information security program and practices of the agency to determine the effectiveness of such program and practices.

Although the report concluded that there were some improvements over previous years, the audit concluded that HHS’ information security program was ‘Not Effective.’

In the crucial area of data protection and privacy, the report outlined the following findings:

  • The Department did not document their review and updates for the guidance associated with the privacy based risk assessments to reflect the current environment.

  • One Operating Division’s guidance and requirements to address data protection and privacy controls was not updated within two years as required by HHS.

  • Security requirements outlined in privacy impact assessments were outdated or incomplete.

The findings also included comments in the Data Protection and Privacy section of the Report that indicated that there were weaknesses in the security controls for protecting personally identifiable information (PII) and other agency sensitive data throughout the data lifecycle. A final recommendation regarding data protection and security, which HHS concurred with, was that HHS must update relevant Department policies, procedures, and guidance and also work with the Operating Divisions to measure the effectiveness of privacy specific controls and trainings.

Given the enormous amount of personal information and health information that the federal government has in its possession, the risk and unfortunate likelihood of a data breach, and the value of that personal and health data, the federal government, and HHS in particular, must make necessary improvements to its data privacy and security measures.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.


About this Author

Deborah A. George, Robinson Cole, Cybersecurity lawyer

Deborah George is a member of the firm’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team.

Deb advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters.  She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as  drafting and reviewing contracts, business associate agreements, and data use agreements. ...