HHS Information Security Program ‘Not Effective’

According to the HIPPA Journal, The US Department of Health and Human Services (HHS) has failed their security audit for a fourth consecutive year. 

The audits were conducted for the HHS’ Office of Inspector General (OIG) to confirm compliance with the Federal Information Security Modernization Act of 2014 (FISMA) for fiscal years 2018 through 2021. Audits were conducted at five of the HHS’ 12 operating divisions and all resulted in the program receiving a ‘not effective’ rating. The HHS was found to have failed in all divisions to fully implement a continuous diagnostics and mitigation (CDM) strategy and stated that “The HHS … does not have a definitive schedule for fully implementing the CDM program across all operating divisions.”

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Garret F. Grajek
InfoSec Expert
May 6, 2022 10:09 am

The negative report on the state of security for the HHS is indicative of a larger problem and belies a larger industry problem. There is no lack of guidance and regulations on the industry. With the National Institute of Technology and Standards (NIST) constantly revising their CyberSecurity Framework SP 800-53 and then releasing updates for key sectors, such as for supply chain (SP 800-161) and zero trust (SP 800-207) – the baseline best practices is out there. And these guidelines are then put into regulations as HIPAA has done for the health care industry, enforced by the US government – and HITRUST created and enforced by the industry. The failure has been the adoption of automation to ensure that this intelligent and well-meaning guidance is put into place. The industry simply does not have the personnel and resources to implement these best practices manually.

Last edited 4 months ago by Garret F. Grajek
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x