The annual HHS watchdog’s FISMA audit on HHS, FDA, CMS, and NIH deemed HHS information security didn’t meet the managed and measurable level of an effective program.
The information security program of the Department of Health and Human Services, including four operating divisions, was determined to be ‘not effective’ by the Office of the Inspector General.
The watchdog recently completed its annual Federal Information Security Management Act audit of HHS, the Food and Drug Administration, Centers for Medicare and Medicaid Services, and the National Institutes of Health. OIG officials evaluated the operating divisions to determine compliance with the federal regulation.
Officials analyzed the HHS security program against the selected operating divisions’ policies, other standards and guidance issued by HHS, performance measures, personnel interviews, and inspected selected artifacts.
The audit determined that while HHS, FDA, CMS, and NIH continues to work toward strengthening its security program, the agencies’ security has weaknesses in its risk management, configuration management, identity and access management, data protection and privacy, security training, continuous monitoring, incident response, and contingency planning.
“We determined that HHS’ information security program was ‘Not Effective’ as it did not meet the ‘Managed and Measurable’ level in the following functional areas: Identify, Protect, Detect, Respond, and Recover,” officials wrote.
“HHS is a federated environment which brings challenges in attaining a managed and measurable maturity model for all OPDIVs,” they continued. “We assessed identify and protect at the consistently implemented level, with detect, respond, and recover being assessed at the defined level.
The configuration management vulnerabilities found at the OPDIVs led one division with a large number of identified flaws to resolve those security gaps in the timelines established by HHS guidelines.
Some of the platforms of another OPDIV lacked security configuration requirements evaluated against established standards to confirm its security before they were deployed. Another division had several IT assets deployed using security configurations no longer supported by the vendor to address emerging threats.
“OPDIVs that do not detect and resolve known security vulnerabilities will be left exposed, thus compromising their confidentiality, integrity, and availability of their information assets,” officials wrote.
OIG recommended HHS work with its OPDIVs leveraging qualitative and quantitative performance measures to determine the effectiveness of its configuration plans. The measures must be based on automated toolset results to determine any misconfigurations, unsupported components, and the effectiveness of its flaw remediation processes.
HHS should also define the timeline to communicate the performance measures to the office of the chief information officer.
Further, HHS needs a new approach to implanting security tools, to ensure consistency in recording, implementing, and maintaining configuration controls, as well as baseline IT configurations and inventory of related components.
HHS concurred with the findings and recommendations, and officials noted that some OPDIVs are awaiting the deployment of these tools that will be provided by the Department of Homeland Security.
The OPDIVs’ risk management policies were deemed ineffective by OIG, as the department standards and strategies on how to handle and address risk weren’t always updated or followed. At one branch, officials found the lack of this formal strategy resulted in many plan of action and milestones not being reported to HHS.
Officials also found the OPDIVs needed to improve its process for tracking and reporting systems and software inventories. At one division, there was no process to identify software installed on a wide range of IT platforms, which resulted in one selected system not being incorporated into the department’s risk management program.
What’s more, the OPDIVs would potentially be unaware if employees and or contractors installed illegally copied or outdated software.
“The lack of a formal communication strategy of plan of action and milestones’ status by the OPDIV to the department may result in vulnerabilities not being adequately and timely addressed,” officials wrote.
“Without an effective program to identify and define all system inventories, HHS and its OPDIVs may not be able to protect their information systems, which exposes the Department to additional vulnerabilities,” they added.
HHS does have an established risk framework and an overarching IT strategy to guide its leaders in making risk decisions. HHS’ CISO also holds monthly meetings on emerging risks and trends, and some OPDIVs have a defined process for identification, assessment, response, and monitoring of IT risks.
However, officials said the agencies can improve its risk management posture by working with its OPDIVs on enterprise risk management strategy to integrate governance functions around internal control activities, strategic planning, and the like. The improvements should include the integration of threat modeling and timely reporting tools.
HHS concurred with OIG’s recommendations and are currently deploying a governance, risk and compliance tool across the enterprise. Further, they’re implementing a continuous diagnostics and mitigation tool to enhance its monitoring abilities and improve visibility across the network.
A review is also being conducted around the specific OPDIVs findings to track mitigation, evaluate trends, identify common issues, and assess whether configuration policies and procedures are adequate.
“With the implementation of these new tools, relevant policies, procedures, and guidance would be updated to reflect the new processes and capabilities that are consistent with OMB, NIST and Department guidelines and requirements,” officials wrote.
OIG also found HHS does not have a consistent toolset to conduct real-time monitoring or measure the effectiveness across the enterprise. One division did not maintain appropriate user agreements, while another division’s two-factor authentication couldn’t be verified by OIG.
“Without properly maintaining user agreements, HHS may not be able to enforce legal responsibilities on users who violated security policies,” officials wrote. “The lack of two-factor authentication for systems may increase the risk of inappropriate access to the HHS network, information systems, and data resulting in the potential loss, destruction or misuse of sensitive data, and resources.”
HHS also failed to document its review and updates for the guidance associated with privacy-based risk assessments that would reflect its current IT environment. One OPDIV hadn’t update its guidance and requirements in two years – which is required by HHS.
Further, the security requirements outlined in these privacy impact assessments were either outdated or incomplete.
As for HHS’ security program, one OPDIV did not define its training guidance and requirements, including a strategy for security training. Some users hadn’t completed their required annual awareness training.
“Users who are unaware of their security responsibilities and/or have not received adequate security training may not be properly equipped to effectively perform their assigned duties which increases the risk of causing a computer security incident,” officials wrote. “This could lead to the loss, destruction, or misuse of sensitive Federal data.”
Lastly, OIG found some of the biggest vulnerabilities with HHS contingency planning. To start, three OPDIVs had not consistently implemented their IT system contingency planning program with communication of current policies, procedures, and strategies to its IT systems’ owners.
Another two OPDIVs failed to update their continuity of operations framework, policies, or procedures, which would reflect its current mission and business environment. As a result, systems owners did not maintain current policies and procedures.
One division dialed to completely document its business impact analysis or adequate backup procedures for some of the high or moderate availability systems. HHS also lacked adequate testing procedures around contingency planning, adequate alternative processing sites.
“Without implementing effective security controls for the contingency planning process, critical data and operations may not be recoverable timely in the event of a true disaster or emergency,” officials wrote. “Without consistently updating the contingency planning functions, system owners and its users may be unaware and unprepared to address the current threats that may significantly impact the information system security.”
“HHS continues to work toward implementing a department-wide continuous diagnostics and mitigation program with DHS. This should help HHS achieve a higher level of maturity for its information security program in subsequent years,” officials added. [HHS] should focus on configuring recently deployed continuous diagnostic monitoring tools to automate the integration of cyber risks into newly developed enterprise risk management programs.”
This is just the latest watchdog report to find security vulnerabilities in HHS and NIH security programs. The Government Accountability Office recently found HHS has 42 unresolved priority cybersecurity recommendations, while an earlier OIG pen testing audit of HHS’ network and web applications found serious vulnerabilities.
Date: May 01, 2019
Source: Health IT Security