HHS Information Security Program Deemed ‘Not Effective’
Thursday, April 25, 2019
Department of Health Human Services HHS info security program Not Effective
Print Mail Download i

There was, unfortunately, some bleak news out of the Department of Health & Human Services, (HHS) Office of the Inspector General (OIG) recently. The OIG recently released the results of a performance audit of the HHS’ compliance with the Federal Information Security Modernization Act of 2014 (FISMA). The OIG Report states that FISMA requires that there be an annual independent evaluation of the information security program and practices of the agency to determine the effectiveness of such program and practices.

Although the report concluded that there were some improvements over previous years, the audit concluded that HHS’ information security program was ‘Not Effective.’

In the crucial area of data protection and privacy, the report outlined the following findings:

  • The Department did not document their review and updates for the guidance associated with the privacy based risk assessments to reflect the current environment.

  • One Operating Division’s guidance and requirements to address data protection and privacy controls was not updated within two years as required by HHS.

  • Security requirements outlined in privacy impact assessments were outdated or incomplete.

The findings also included comments in the Data Protection and Privacy section of the Report that indicated that there were weaknesses in the security controls for protecting personally identifiable information (PII) and other agency sensitive data throughout the data lifecycle. A final recommendation regarding data protection and security, which HHS concurred with, was that HHS must update relevant Department policies, procedures, and guidance and also work with the Operating Divisions to measure the effectiveness of privacy specific controls and trainings.

Given the enormous amount of personal information and health information that the federal government has in its possession, the risk and unfortunate likelihood of a data breach, and the value of that personal and health data, the federal government, and HHS in particular, must make necessary improvements to its data privacy and security measures.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

Department of Justice Criminal Division Announces Voluntary Self-Disclosure Pilot Program for Culpable Individuals
by: David E. Carney , Danielle H. Tangorre
FTC Votes to Finalize Rule Banning Non-Compete Agreements Nationwide
by: Ian T. Clarke-Fisher , Trevor L. Bradley
Cisco Releases Updates to Vulnerabilities in Firewall Platforms
by: Linn F. Freedman
USPTO Issues Guidance on Use of AI Based Tools
by: Daniel J. Lass
California Trap & Trace Class Actions on the Rise in the Age of Website Trackers
by: Kathryn M. Rattigan
Aid Package Signed by President Biden Includes Divestiture of TikTok Requirement
by: Linn F. Freedman
Privacy Tip #395 – GM Faces Class Action for Collecting + Disclosing Drivers’ Data Without Consent
by: Linn F. Freedman
AI, Government Contractors, and Employment Discrimination
by: Data Privacy & Cybersecurity Robinson Cole
Chicago’s Application of Parking Regulations Violates RLUIPA
by: Eden (Hunter) Yerby
The Department of Education Releases Significant Revisions to Title IX Regulations
by: Kathleen E. Dion , Seth B. Orkand

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins