OIG: HHS Improves Security, Yet Flaws Remain
The HHS Office of Inspector General’s new report, issued on March 6, is a fiscal 2017 review of HHS’s compliance with the Federal Information Security Modernization Act of 2014.
OIG says that overall, HHS “has made improvements and continues to implement changes to strengthen its enterprise-wide information security program, including adhering to security training procedures and updating policies and procedures.”
Many of the weaknesses spotlighted in the OIG report are far too common among private-sector healthcare organizations as well, says Tom Walsh, president of consulting firm tw-Security.
The three areas of vulnerability that are most troubling throughout the healthcare industry, Walsh says, are weaknesses in configuration management, access management, and training.
Configuration management – in particular, not knowing with certainty what applications and systems that are part of the network, is particularly worrisome, he says. “It is tough to protect an enterprise when there is uncertainty as to what is on the network and its configuration level,” he says.
“It is tough to protect an enterprise when there is uncertainty as to what is on the network and its configuration level.”
—Tom Walsh of tw-Security
When it comes to access management, user provisioning – managing user access, especially for contractors – is another concern, he says. In addition, deficient training is a serious problem, especially when it comes to contractors and “tracking their security training status.”
For user provisioning and training issues, Walsh says he emphasizes contractor risks, for several reasons.
“These individuals come and go and may not have the same vested interest in security as an employee,” he says. “They may not understand HIPAA, FISMA and other regulatory requirements. They seldom let you know when their access to systems is no longer required. At least with employees, an organization can always check against the HR/payroll system as a stop-gap for removing or suspending a user’s access privileges.”
Lack of Documentation
Meanwhile, the OIG’s review of HHS’s information security program – including its risk management processes – also spotlighted another problem frequently identified at healthcare organizations: A lack of documentation.
“Downloading or buying pre-made policies and slapping your name on them does not make an organization compliant,” Walsh says. “Say what you do. Do what you say. Policies, procedures, plans, risk analysis/management reports and plans all need to be periodically reviewed and updated. They are ‘living documents’ and not a ‘one and done’ type approach.”