While HHS has improved its security awareness, its security program was “not effective” as it lacked a measurable, managed maturity level for identifying and protecting in functional areas.
The Department of Health and Human Services’ information security program was once again deemed “not effective,” according to the Office of Management and Budget’s annual Federal Information Security Modernization Act report.
In April, an Office of the Inspector General report deemed the HHS’ security programs at four operating divisions “not effective,” when auditing the departments to determine compliance with FISMA.
While the departments were found to be working toward improving its security posture, the audited divisions’ had weaknesses in risk management, identity access management, and incident response, among a host of other vulnerabilities.
OMB’s report showed similar issues, given a lack of “managed and measurable” maturity level for identify, protect, detect, respond, and recover functional areas. Officials said the challenge lies in HHS’ federated environment.
A recent HITRUST report determined that sound security control maturity and strong standard security levels will rapidly improve organizations’ security postures, reducing the risk of a breach and control failures.
However, OMB stressed that the agency is continuing to implement changes to strengthen its security program across the enterprise. Officials said they also found HHS did consistently implement the identify and protect areas.
“HHS continues to be aware of the opportunities to strengthen its overall information security program to ensure that its policies and procedures at all operating divisions are consistently implemented in all areas of its security program,” OMB officials wrote.
“Increased network connectivity has expanded the government’s capacity to store and process data however, this advent has led to federal agencies and their high-value assets being exposed to more cyber risks—including threats such as adversary and criminal interest, phishing, and network and software vulnerabilities,” they added.
OMB also found HHS has already taken steps to mitigate some of the risks to the organization through the development of collaborative efforts within the agency to manage mission critical systems and high value assets that support mission essential functions.
The Department of Homeland Security has also been providing HHS with operational assessment services and technical assistance to manage cyber risk.
What’s more, HHS has also ensured privacy and security risks are captured and addressed within its enterprise risk management framework, while taking steps to better understand the landscape of its high-value assets through an analysis based on DHS data elements.
The goal has been to increase awareness around “system interdependencies, whether systems support MEFs, and whether functional exercises are performed in the event a system needs recovery.”
HHS has also been reviewing contractual language related to its third-party vendors and whether appropriate clauses adhere to departmental policy. The agency has also been actively working with other stakeholder to improve its security posture, while increasing cybersecurity awareness within the healthcare sector.
Currently, HHS is working towards the implementation of a department-wide continuous diagnostics and mitigation (CDM) program in coordination with DHS, which will add continuous monitoring to its networks and systems and will document progress to address and implement these strategies. HHS will also report its progress through DHS dashboards.
The full implementation of the CDM program will ensure a managed and measurable maturity level is attained by HHS, OMB officials explained. But the CDM implementation comes with its own challenges.
“HHS needs to ensure that there is effective contingency planning, identity and access management, configuration management, and incident response through the use of appropriate tools, processes, and controls at all operating divisions,” according to the report.
HHS will also need to continue its efforts to create a working model that outlines where all of the functional areas interact, in real-time. The agency will also need to provide holistic and coordinated responses to security events to strengthen the overall security program and achieve HHS’ mission of an effective and coordinated information security program.
The report also showed a 12 percent decrease in cybersecurity incidents across all federal agencies in fiscal year 2018. Overall, there were 31,107 cybersecurity incidents last year, down from 35,277 in fiscal year 2017.
The OMB report shows increases in HHS’ awareness and cybersecurity efforts, as compared with a host of damning reports from OIG, the Government Accountability Office, and Congress. These reports have shown repeated cybersecurity failings around how HHS handles risk management and identity and access management.
Date: September 04, 2019