Information Security:

Department of Health and Human Services Needs to Fully Implement Its Program

GAO-06-267: Published: Feb 24, 2006. Publicly Released: Mar 23, 2006.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Department of Health and Human Services (HHS) is the nation's largest health insurer and the largest grant-making agency in the federal government. HHS programs impact all Americans, whether through direct services, scientific advances, or information that helps them choose medical care, medicine, or even food. For example, the Centers for Medicare & Medicaid Services (CMS), a major operating division within HHS, is responsible for the Medicare and Medicaid programs that provide care to about one in every four Americans. In carrying out their responsibilities, both HHS and CMS rely extensively on networked information systems containing sensitive medical and financial information. GAO was asked to assess the effectiveness of HHS's information security program, with emphasis on CMS, in protecting the confidentiality, integrity, and availability of its information and information systems.

HHS and CMS have significant weaknesses in controls designed to protect the confidentiality, integrity, and availability of their sensitive information and information systems. HHS computer networks and systems have numerous electronic access control vulnerabilities related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security-related events. In addition, weaknesses exist in other types of controls designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software. All of these weaknesses increase the risk that unauthorized individuals can gain access to HHS information systems and inadvertently or deliberately disclose, modify, or destroy the sensitive data that the department relies on to deliver its vital services. A key reason for these control weaknesses is that the department has not yet fully implemented a departmentwide information security program. While HHS has laid the foundation for such a program by developing and documenting policies and procedures, the department has not yet fully implemented key elements of its information security program at all of its operating divisions. Specifically, HHS and its operating divisions have not fully implemented elements related to (1) risk assessments, (2) policies and procedures, (3) security plans, (4) security awareness and training, (5) tests and evaluations of control effectiveness, (6) remedial actions, (7) incident handling, and (8) continuity of operations plans. Until HHS fully implements a comprehensive information security program, security controls may remain inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and controls may be inconsistently applied. Such conditions may lead to insufficient protection of sensitive or critical resources and disproportionately high expenditures for controls over low-risk resources.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, implemented security intrusion detection monitors throughout its enterprise. Additionally, HHS provided detailed, real-time alerts to security staff and management, as well as a consolidated view of the security posture of the entire enterprise.

    Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions implement intrusion detection systems and configure them to use consistent criteria for the detection and reporting of security incidents and events.

    Agency Affected: Department of Health and Human Services

  2. Status: Closed - Implemented

    Comments: In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, implemented quarterly compliance review and continuous monitoring to provide a qualitative assessment of weaknesses described in plans of action and milestones. HHS uses an automated tool to track all weaknesses and ensure that they are reviewed for completeness prior to their quarterly submission to OMB.

    Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions review remedial action plans to ensure that they address all previously identified weaknesses and key corrective action information.

    Agency Affected: Department of Health and Human Services

  3. Status: Closed - Implemented

    Comments: In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, required system certification and accreditation (C&A) packages to include an initial and thorough security control test and evaluation (ST&E), with documented results. HHS tracks completion of ST&Es at the enterprise and division levels.

    Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions conduct tests and evaluations of the effectiveness of controls on operational systems, and document results.

    Agency Affected: Department of Health and Human Services

  4. Status: Closed - Implemented

    Comments: In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, trained 99 percent of employees with significant security responsibilities. A training sub-committee continues to identify tracking mechanisms for training, and to identify curricula.

    Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions provide specialized training to all individuals with significant security responsibilities.

    Agency Affected: Department of Health and Human Services

  5. Status: Closed - Implemented

    Comments: In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, required all system certification and accreditation (C&A) packages to include a detailed system security plan, consistent with the National Institute of Standards and Technology's Special Publication 800-18. HHS also developed and implemented an enterprise-wide C&A checklist.

    Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions complete system security plans for all systems.

    Agency Affected: Department of Health and Human Services

  6. Status: Closed - Implemented

    Comments: In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, has required all system certification and accreditation (C&A) packages to include risk assessments, consistent with the National Institute of Standards and Technology's Special Publication 800-37. HHS also developed and fully implemented an enterprise-wide C&A checklist.

    Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions develop comprehensive risk assessments that address key elements.

    Agency Affected: Department of Health and Human Services

  7. Status: Closed - Not Implemented

    Comments: According to the Department of Health and Human Services (HHS), in response to our recommendation, the department developed ten minimum security configuration standards that must be implemented on applicable systems. According to HHS, the minimum configurations are reviewed on an annual basis and updated. However, GAO did not receive evidence from HHS to confirm this, despite numerous attempts to request such information.

    Recommendation: To help HHS fully implement its departmentwide information security program, the Secretary of HHS should direct the Chief Information Officer to develop and implement policies and procedures to ensure the establishment of minimum acceptable configuration requirements.

    Agency Affected: Department of Health and Human Services

  8. Status: Closed - Implemented

    Comments: In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, developed and tested their continuity of operations plans.

    Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions develop and test continuity of operations plans for all of their systems.

    Agency Affected: Department of Health and Human Services

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here