Report Details Structural Flaws in HHS’ Information Security | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report Details Structural Flaws in HHS’ Information Security

August 13, 2015
by Rajiv Leventhal
| Reprints

A report from the House Energy and Commerce Committee has detailed details serious structural flaws at the U.S. Department of Health & Human Services (HHS) and its operating divisions, including the Food and Drug Administration (FDA) and the National Institutes of Health (NIH), which have led to poor information security.

The report, entitled, “Information Security at the Department of Health and Human Services,” was released by Committee Chairman Fred Upton (R-MI) and Oversight and Investigations Subcommittee Chairman Tim Murphy (R-PA), and follows the committee’s yearlong investigation. According to the report’s executive summary, to the committee’s knowledge, “five HHS operating divisions have been breached using unsophisticated means within the last three years. Of concern to the committee, officials at the affected agencies often struggled to provide accurate, clear, and sufficient information on the security incidents during the committee’s investigation.” These problems have left HHS vulnerable to cyberattacks, which the report outlines have been numerous the past few years.

The report demonstrates that throughout HHS and its operating divisions, when information security is put under the purview of the chief information officer, operations become the priority concern while security becomes a secondary interest. Included in the report are a number of recommendations to improve information security at HHS and its operating divisions. Most notably, the report recommends making the chief information security officer (CISO) the “primary authority for information security” and moving all information security functions (including the CISO) to the general or chief counsel’s office, where reducing and mitigating risk is the primary function.

“What we found is alarming and unacceptable. At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack. With the recent Office of Personnel Management attack serving as another example of how wrong things can go, this report pulls back the curtain and sheds light on serious deficiencies in HHS’s information security practices,” said Upton and Murphy.

Upton and Murphy concluded, “While it is impossible to fully protect against cyber attacks, we have a responsibility to approach these issues with necessary foresight and diligence to minimize vulnerabilities and maximize security. We look forward to working with HHS, FDA, NIH, and others to develop solutions to better protect this information. Unfortunately, the bar has been set low and we have nowhere to go but up.”

In May, a report from the HHS’ Office of Inspector General (OIG) found that information security at HHS needs improvement because controls have not been fully implemented and monitored.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Analysis: Healthcare Ransomware Attacks Decline in First Half of 2018

In the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a new report form cybersecurity firm Cryptonite.

Dignity Health, UCSF Health Partner to Improve the Digital Patient Experience

Dignity Health and UCSF Health are collaborating to develop a digital engagement platform that officials believe will provide information and access to patients when and where they need it as they navigate primary and preventive care, as well as more acute or specialty care.

Report: Digital Health VC Funding Surges to Record $4.9 Billion in 2018

Global venture capital funding for digital health companies in the first half of 2018 was 22 percent higher year-over-year (YoY) with a record $4.9 billion raised in 383 deals compared to the $4 billion in 359 deals in the same time period last year, according to Mercom Capital Group’s latest report.

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.