OIG Report Reveals Information Security Issues at HHS | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OIG Report Reveals Information Security Issues at HHS

May 6, 2015
by Rajiv Leventhal
| Reprints

A report from the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) has found that information security at HHS needs improvement because controls have not been fully implemented and monitored.

For the report, OIG reviewed selected security controls at the Health Resources and Services Administration (HRSA), an HHS agency, which is comprised of six bureaus and 13 offices, providing leadership and financial support to healthcare providers across the country. HRSA’s Office of Information Technology (OIT) develops and coordinates HRSA-wide plans, budgets, policies, and procedures for IT infrastructure services.

Specifically, OIG reviewed controls over inventory management,  patch management, antivirus management, event management, logical access, encryption, configuration management, Web vulnerability management, and Universal Serial Bus (USB) port control management. OIG interviewed HRSA's security and IT personnel, reviewed policies and procedures, and tested controls in place at the agency.

The report found that HRSA had not fully implemented or monitored some information security controls. OIG identified six categories of vulnerabilities:

• IT asset inventory management—HRSA did not track and manage IT inventory effectively.

• Patch management—HRSA's patch management controls were not implemented and monitored effectively. HRSA had vulnerabilities that, if exploited, could have allowed unauthorized disclosure, modification, or unavailability of critical data.

• Antivirus management—HRSA did not monitor the antivirus status of HRSA-managed assets effectively.

• Logical access—HRSA's Active Directory user accounts were not consistently reviewed as outlined in HRSA's policies.

• Encryption—HRSA did not consistently apply their encryption policies.

• USB port control access—HRSA did not have any policies or procedures to effectively secure USB port control access.

OIG outlined recommendations to HRSA to address these findings. It said that HRSA concurred with 17 of 18 recommendations and partially concurred with one recommendation, and described actions it has taken and plans to take to implement them.

Topics

News

Allscripts Touts 1 Billion API Shares in 2017

Officials from Chicago-based health IT vendor Allscripts have attested that the company has reached a new milestone— one billion application programming interface (API) data exchange transactions in 2017.

Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.

HHS Announces Winning Solutions in Opioid Code-a-Thon

The U.S. Department of Health and Human Services (HHS) hosted this week a first-of-its-kind two-day Code-a-Thon to use data and technology to develop new solutions to address the opioid epidemic.

In GAO Report, More Concern over VA VistA Modernization Project

A recent Government Accountability Office (GAO) report is calling into question the more than $1 billion that has been spent to modernize the Department of Veterans Affairs' (VA) health IT system.

Lawmakers Introduce Legislation Aimed at Improving Medicare ACO Program

U.S. Representatives Peter Welch (D-VT) and Rep. Diane Black (R-TN) have introduced H.R. 4580, the ACO Improvement Act of 2017 that makes changes to the Medicare accountable care organization (ACO) program.

Humana Develops Medication Management Tool

A new tool developed by Humana enables the company’s members to keep a list of their medications in one place.