Skip to content Skip to navigation

OIG Report Reveals Information Security Issues at HHS

May 6, 2015
by Rajiv Leventhal
| Reprints

A report from the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) has found that information security at HHS needs improvement because controls have not been fully implemented and monitored.

For the report, OIG reviewed selected security controls at the Health Resources and Services Administration (HRSA), an HHS agency, which is comprised of six bureaus and 13 offices, providing leadership and financial support to healthcare providers across the country. HRSA’s Office of Information Technology (OIT) develops and coordinates HRSA-wide plans, budgets, policies, and procedures for IT infrastructure services.

Specifically, OIG reviewed controls over inventory management,  patch management, antivirus management, event management, logical access, encryption, configuration management, Web vulnerability management, and Universal Serial Bus (USB) port control management. OIG interviewed HRSA's security and IT personnel, reviewed policies and procedures, and tested controls in place at the agency.

The report found that HRSA had not fully implemented or monitored some information security controls. OIG identified six categories of vulnerabilities:

• IT asset inventory management—HRSA did not track and manage IT inventory effectively.

• Patch management—HRSA's patch management controls were not implemented and monitored effectively. HRSA had vulnerabilities that, if exploited, could have allowed unauthorized disclosure, modification, or unavailability of critical data.

• Antivirus management—HRSA did not monitor the antivirus status of HRSA-managed assets effectively.

• Logical access—HRSA's Active Directory user accounts were not consistently reviewed as outlined in HRSA's policies.

• Encryption—HRSA did not consistently apply their encryption policies.

• USB port control access—HRSA did not have any policies or procedures to effectively secure USB port control access.

OIG outlined recommendations to HRSA to address these findings. It said that HRSA concurred with 17 of 18 recommendations and partially concurred with one recommendation, and described actions it has taken and plans to take to implement them.



Survey: Healthcare Orgs Not Taking Mobile Security Seriously Enough

More than half (56 percent) of healthcare professionals believe their organization could be doing more to educate employees on HIPAA compliance and the rules around sharing protected health information.

Mount Sinai’s Research Arm Using Data Analytics to Address Health Inequities

The Arnhold Institute for Global Health at the Icahn School of Medicine at Mount Sinai is partnering with DigitalGlobe to create the Health Equity Atlas Initiative (ATLAS), a platform that standardizes and maps population data in order to generate insights that address health inequities.

FDA, Hospitals Work to Improve Data Collection about Medical Devices

The U.S. Food and Drug Administration is looking to improve the way it works with hospitals to modernize and streamline data collection, specifically safety data, about medical devices.

McKesson Unveils New Paragon Electronic Health Record Platform

McKesson Enterprise Information Solutions (EIS) announced the latest release of Paragon, its electronic health record (EHR) solution.

Catholic Health Initiatives and Dignity Health are in Merger Talks

Englewood, Colorado-based health system Catholic Health Initiatives is in merger talks with San Francisco-based Dignity Health to potentially create one of the largest nonprofit health systems by revenue in the country.

OSU Wexner Medical Center Receives AHIMA Grace Award

The Ohio State University Wexner Medical Center (OSUWMC) received the American Health Information Management Association (AHIMA) annual Grace Award in recognition of its leadership in health information management.