GAO: HHS Has Failed to Act on Security Recommendations
Watchdog Report Spotlights Steps Agency Has Not Yet Taken
… “The security risk analysis is often not done or not done correctly, as evidenced by the corrective action plans after HHS Office for Civil Rights investigates a large data breach,” notes Susan Lucci, senior privacy and security consultant at consultancy tw-Security.
That inaction could be related to staffing and budget shortages, she says. “Add on top of that, the fact that some remediation efforts have high associated costs, and organizations must choose to ‘accept’ some of the risks until budget can be allocated to close the gap. With all the places where confidential information resides, it is extremely difficult to reduce most risks that cybercriminals will not find a new way to exploit.”