HHS Information Security Program Deemed ‘Not Effective’
There was, unfortunately, some bleak news out of the Department of Health & Human Services, (HHS) Office of the Inspector General (OIG) recently. The OIG recently released the results of a performance audit of the HHS’ compliance with the Federal Information Security Modernization Act of 2014 (FISMA). The OIG Report states that FISMA requires that there be an annual independent evaluation of the information security program and practices of the agency to determine the effectiveness of such program and practices.
Although the report concluded that there were some improvements over previous years, the audit concluded that HHS’ information security program was ‘Not Effective.’
In the crucial area of data protection and privacy, the report outlined the following findings:
The Department did not document their review and updates for the guidance associated with the privacy based risk assessments to reflect the current environment.
One Operating Division’s guidance and requirements to address data protection and privacy controls was not updated within two years as required by HHS.
Security requirements outlined in privacy impact assessments were outdated or incomplete.
The findings also included comments in the Data Protection and Privacy section of the Report that indicated that there were weaknesses in the security controls for protecting personally identifiable information (PII) and other agency sensitive data throughout the data lifecycle. A final recommendation regarding data protection and security, which HHS concurred with, was that HHS must update relevant Department policies, procedures, and guidance and also work with the Operating Divisions to measure the effectiveness of privacy specific controls and trainings.
Given the enormous amount of personal information and health information that the federal government has in its possession, the risk and unfortunate likelihood of a data breach, and the value of that personal and health data, the federal government, and HHS in particular, must make necessary improvements to its data privacy and security measures.