OIG Report Reveals Information Security Issues at HHS

May 6, 2015
A report from the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) has found that information security at HHS needs improvement because controls have not been fully implemented and monitored.

A report from the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) has found that information security at HHS needs improvement because controls have not been fully implemented and monitored.

For the report, OIG reviewed selected security controls at the Health Resources and Services Administration (HRSA), an HHS agency, which is comprised of six bureaus and 13 offices, providing leadership and financial support to healthcare providers across the country. HRSA’s Office of Information Technology (OIT) develops and coordinates HRSA-wide plans, budgets, policies, and procedures for IT infrastructure services.

Specifically, OIG reviewed controls over inventory management,  patch management, antivirus management, event management, logical access, encryption, configuration management, Web vulnerability management, and Universal Serial Bus (USB) port control management. OIG interviewed HRSA's security and IT personnel, reviewed policies and procedures, and tested controls in place at the agency.

The report found that HRSA had not fully implemented or monitored some information security controls. OIG identified six categories of vulnerabilities:

• IT asset inventory management—HRSA did not track and manage IT inventory effectively.

• Patch management—HRSA's patch management controls were not implemented and monitored effectively. HRSA had vulnerabilities that, if exploited, could have allowed unauthorized disclosure, modification, or unavailability of critical data.

• Antivirus management—HRSA did not monitor the antivirus status of HRSA-managed assets effectively.

• Logical access—HRSA's Active Directory user accounts were not consistently reviewed as outlined in HRSA's policies.

• Encryption—HRSA did not consistently apply their encryption policies.

• USB port control access—HRSA did not have any policies or procedures to effectively secure USB port control access.

OIG outlined recommendations to HRSA to address these findings. It said that HRSA concurred with 17 of 18 recommendations and partially concurred with one recommendation, and described actions it has taken and plans to take to implement them.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?