Skip to Highlights
Highlights

The Department of Health and Human Services (HHS) is the nation's largest health insurer and the largest grant-making agency in the federal government. HHS programs impact all Americans, whether through direct services, scientific advances, or information that helps them choose medical care, medicine, or even food. For example, the Centers for Medicare & Medicaid Services (CMS), a major operating division within HHS, is responsible for the Medicare and Medicaid programs that provide care to about one in every four Americans. In carrying out their responsibilities, both HHS and CMS rely extensively on networked information systems containing sensitive medical and financial information. GAO was asked to assess the effectiveness of HHS's information security program, with emphasis on CMS, in protecting the confidentiality, integrity, and availability of its information and information systems.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Health and Human Services 1. To help HHS fully implement its departmentwide information security program, the Secretary of HHS should direct the Chief Information Officer to develop and implement policies and procedures to ensure the establishment of minimum acceptable configuration requirements.
Closed - Not Implemented
According to the Department of Health and Human Services (HHS), in response to our recommendation, the department developed ten minimum security configuration standards that must be implemented on applicable systems. According to HHS, the minimum configurations are reviewed on an annual basis and updated. However, GAO did not receive evidence from HHS to confirm this, despite numerous attempts to request such information.
Department of Health and Human Services 2. The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions develop comprehensive risk assessments that address key elements.
Closed - Implemented
In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, has required all system certification and accreditation (C&A) packages to include risk assessments, consistent with the National Institute of Standards and Technology's Special Publication 800-37. HHS also developed and fully implemented an enterprise-wide C&A checklist.
Department of Health and Human Services 3. The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions complete system security plans for all systems.
Closed - Implemented
In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, required all system certification and accreditation (C&A) packages to include a detailed system security plan, consistent with the National Institute of Standards and Technology's Special Publication 800-18. HHS also developed and implemented an enterprise-wide C&A checklist.
Department of Health and Human Services 4. The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions provide specialized training to all individuals with significant security responsibilities.
Closed - Implemented
In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, trained 99 percent of employees with significant security responsibilities. A training sub-committee continues to identify tracking mechanisms for training, and to identify curricula.
Department of Health and Human Services 5. The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions conduct tests and evaluations of the effectiveness of controls on operational systems, and document results.
Closed - Implemented
In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, required system certification and accreditation (C&A) packages to include an initial and thorough security control test and evaluation (ST&E), with documented results. HHS tracks completion of ST&Es at the enterprise and division levels.
Department of Health and Human Services 6. The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions review remedial action plans to ensure that they address all previously identified weaknesses and key corrective action information.
Closed - Implemented
In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, implemented quarterly compliance review and continuous monitoring to provide a qualitative assessment of weaknesses described in plans of action and milestones. HHS uses an automated tool to track all weaknesses and ensure that they are reviewed for completeness prior to their quarterly submission to OMB.
Department of Health and Human Services 7. The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions implement intrusion detection systems and configure them to use consistent criteria for the detection and reporting of security incidents and events.
Closed - Implemented
In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, implemented security intrusion detection monitors throughout its enterprise. Additionally, HHS provided detailed, real-time alerts to security staff and management, as well as a consolidated view of the security posture of the entire enterprise.
Department of Health and Human Services 8. The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions develop and test continuity of operations plans for all of their systems.
Closed - Implemented
In 2010 we verified that the Department of Health and Human Services (HHS), in response to our recommendation, developed and tested their continuity of operations plans.

Full Report

GAO Contacts