OIG Report Reveals Information Security Issues at HHS | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OIG Report Reveals Information Security Issues at HHS

May 6, 2015
by Rajiv Leventhal
| Reprints

A report from the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) has found that information security at HHS needs improvement because controls have not been fully implemented and monitored.

For the report, OIG reviewed selected security controls at the Health Resources and Services Administration (HRSA), an HHS agency, which is comprised of six bureaus and 13 offices, providing leadership and financial support to healthcare providers across the country. HRSA’s Office of Information Technology (OIT) develops and coordinates HRSA-wide plans, budgets, policies, and procedures for IT infrastructure services.

Specifically, OIG reviewed controls over inventory management,  patch management, antivirus management, event management, logical access, encryption, configuration management, Web vulnerability management, and Universal Serial Bus (USB) port control management. OIG interviewed HRSA's security and IT personnel, reviewed policies and procedures, and tested controls in place at the agency.

The report found that HRSA had not fully implemented or monitored some information security controls. OIG identified six categories of vulnerabilities:

• IT asset inventory management—HRSA did not track and manage IT inventory effectively.

• Patch management—HRSA's patch management controls were not implemented and monitored effectively. HRSA had vulnerabilities that, if exploited, could have allowed unauthorized disclosure, modification, or unavailability of critical data.

• Antivirus management—HRSA did not monitor the antivirus status of HRSA-managed assets effectively.

• Logical access—HRSA's Active Directory user accounts were not consistently reviewed as outlined in HRSA's policies.

• Encryption—HRSA did not consistently apply their encryption policies.

• USB port control access—HRSA did not have any policies or procedures to effectively secure USB port control access.

OIG outlined recommendations to HRSA to address these findings. It said that HRSA concurred with 17 of 18 recommendations and partially concurred with one recommendation, and described actions it has taken and plans to take to implement them.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.

Cedars-Sinai Accelerator Program Presents Fourth Class of Startups

The Cedars-Sinai Accelerator, a program that helps entrepreneurs bring their innovative technology products to market, has brought in nine more health tech startups as part of its fourth class.

DirectTrust Adds Five Board Members

DirectTrust, a nonprofit organization that support health information exchange, announced the appointment of five new executives to its board of directors.

Analysis: Many States Continue to Have Restrictive Telemedicine Policies

State Medicaid programs are evolving to accelerate the adoption of telemedicine models, this evolution is occurring more quickly in some states than others, according to a recent analysis by Manatt Health.