OIG Published the Findings on FISMA Compliance Review of HHS

The Department of Health and Human Services’ Office of Inspector General released its review findings on HHS’ compliance with the Federal Information Security Modernization Act (FISMA) of 2014. OIG noted the improvements HHS made to its information security program in 2017. There were also some areas of weakness identified, which were similar to the vulnerabilities and weaknesses noted in the FISMA compliance review for fiscal 2016.

The HHS is developing a Continuous Diagnostics and Mitigation (CDM) program that is to be implemented in all departments. It will be used to monitor networks, information systems and personnel activity.  In addition, the information security programs of HHS were strengthened since the last review. But the following areas in HHS continuous monitoring:

  • risk management
  • configuration management
  • identity and access management
  • incident response
  • security training
  • information security
  • contingency planning

OIG also identified the weaknesses and vulnerabilities in the following areas:

In configuration management, four operational divisions (OPDIVs) were noncompliant with configuration management policies and procedures in some instances. Not all software was up-to-date. Patches were not applied promptly. There were missing vulnerability scans using Security Content Automation Protocol (SCAP) tools. Some operating systems were not supported by the vendors. Some personnel in configuration management were not monitoring approvals, testing results and migration dates in the management tracking tools. The detect function which develops and implements activities used to identify cybersecurity events has vulnerabilities.

In security training, some OPDIVs fail to train their staff including new hires. Insufficiently trained employees are not that many, but they pose a considerable risk to HHS’ systems and network security. Two OPDIVs fail to track the security training status of contractors and personnel.

In risk management, some OPDIVs have no finalized policies and procedures yet. Some also don’t have a list of devices and software used on the network or the details of unauthorized software used in the network.

In identity and access management, account management procedures are not always followed and shared accounts are not monitored properly. There were failures in removing inactive accounts and resetting active account passwords. Accounts are not disabled promptly when employees are terminated.

The vulnerabilities and weaknesses identified by OIG are common among healthcare covered entities. Many have already been fined by the HHS’ Office for Civil Rights for noncompliance. HHS concurred with the findings of OIG and will do their best to implement controls and update policies and procedures as needed.