A report from the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) has found that information security at HHS needs improvement because controls have not been fully implemented and monitored.
For the report, OIG reviewed selected security controls at the Health Resources and Services Administration (HRSA), an HHS agency, which is comprised of six bureaus and 13 offices, providing leadership and financial support to healthcare providers across the country. HRSA’s Office of Information Technology (OIT) develops and coordinates HRSA-wide plans, budgets, policies, and procedures for IT infrastructure services.
Specifically, OIG reviewed controls over inventory management, patch management, antivirus management, event management, logical access, encryption, configuration management, Web vulnerability management, and Universal Serial Bus (USB) port control management. OIG interviewed HRSA's security and IT personnel, reviewed policies and procedures, and tested controls in place at the agency.
The report found that HRSA had not fully implemented or monitored some information security controls. OIG identified six categories of vulnerabilities:
• IT asset inventory management—HRSA did not track and manage IT inventory effectively.
• Patch management—HRSA's patch management controls were not implemented and monitored effectively. HRSA had vulnerabilities that, if exploited, could have allowed unauthorized disclosure, modification, or unavailability of critical data.
• Antivirus management—HRSA did not monitor the antivirus status of HRSA-managed assets effectively.
• Logical access—HRSA's Active Directory user accounts were not consistently reviewed as outlined in HRSA's policies.
• Encryption—HRSA did not consistently apply their encryption policies.
• USB port control access—HRSA did not have any policies or procedures to effectively secure USB port control access.
OIG outlined recommendations to HRSA to address these findings. It said that HRSA concurred with 17 of 18 recommendations and partially concurred with one recommendation, and described actions it has taken and plans to take to implement them.