HHS dinged on security from all sides

The Department of Health and Human Services’ information security program is “not effective,” according to the latest Federal Information Systems Modernization Act audit conducted by the agency’s Office of Inspector General.

The OIG’s report, released in April, identified deficiencies in implementing a departmentwide continuous diagnostics and mitigation program and noted that “there is no definitive schedule to fully implement the CDM program across all [operating divisions].” The agency concurred with the assessment and the recommendations included in the report. 

Separately, HHS earned a D grade in the FISMA category of the Federal Information Technology Acquisition Reform Act scorecard released by the House Oversight and Reform Committee in December 2021.

Additionally, a Government Accountability Office audit released in June urged the agency to establish a feedback mechanism to improve the effectiveness of its process for reporting data breaches. HHS concurred with the recommendation, which follows a significant increase in the number of data breaches involving unsecured protected health information at HHS. The agency has experienced year-over-year increases in data breaches affecting 500 or more individuals since 2015, with the total number of individuals affected each year rising as high as 113 million.

According to GAO’s audit, hacking and IT incidents have accounted for approximately 55% of the 3,200 breaches at the agency from 2015 to 2021. Unauthorized access and disclosure, theft, loss and improper disposal accounted for the rest of the breaches, according to the HHS Office for Civil Rights (OCR).

“Without a clear mechanism to provide feedback to OCR, covered entities and business associates can face challenges during the breach reporting process,” auditors wrote. “Further, soliciting feedback on the breach reporting process could help OCR improve aspects of the process.”

In another report released in June, the HHS OIG found that the largest operating division at HHS — the Centers for Medicare and Medicaid Services (CMS) — did not fully comply with a binding operational directive issued by the Cybersecurity and Infrastructure Security Agency that requires executive branch agencies to patch and mitigate critical vulnerabilities.

Auditors said CMS failed to mitigate two vulnerabilities reported by CISA within the directive’s 30-day time frame and did not apply security patches to all previously known vulnerabilities. Additionally, CMS did not have the necessary logs to establish that the remediation activity took place, according to the OIG.