OIG FISMA Conformity Assessment of HHS Demonstrates Improvements Made but Weaknesses Remain

March 17, 2018

The Division of Health and Human Services’ Office of Inspector General has circulated the findings of its 2017 fiscal appraisal of HHS conformity with the Federal Information Safety Modernization Law of 2014.
The FISMA conformity assessment disclosed the HSS is carrying on to make improvements to its information safety program, even though OIG identified numerous areas of vulnerability. The results from the latest FISMA conformity review emphasized similar weaknesses and vulnerabilities to the review carried out for fiscal 2016.
A department-wide Continuous Diagnostics and Mitigation (CDM) plan is being created by the HHS which will permit it to check its networks, information systems, and personal activity and information safety programs have been reinforced since the assessment was last carried out. Nevertheless, OIG identified many areas where improvements might be made. Vulnerabilities and weaknesses were noticed in HHS risk management, identity and access management, configuration management, safety teaching, incident reaction, emergency planning, and information safety continuous checking.
There were many areas of concern in configuration management. At all four of the operational divisions (OPDIVs) there were occurrences of nonconformity with configuration management plans and procedures. OIG spotted failures to make sure all software was up to date and patches were applied quickly and weakness scans using Security Content Automation Protocol (SCAP) tools were neglected. OIG also uncovered a few operating systems in use that were not supported by the sellers. At some OPDIVs, configuration management people were not trailing the sanctions, checking results, and relocation dates within change management training tools.
Vulnerabilities were noticed in the detect function, the aim of which is to develop and apply proper activities to classify the happening of cybersecurity events.
Training problems were recognized with some OPDIVs having failed to teach all staff, including new workers. While the number of workers that had not been adequately trained was low, those people pose a significant risk to the safety of HHS systems and network. Two OPDIVs were not effectively trailing the safety training position of contractors and personnel.
Risk management problems were recognized at some of the operating departments, with risk management plans and procedures not yet concluded. OIG also informs that some OPDIVs might not provide a list of all appliances and software used on the system, and neither were they able to offer particulars of illegal software used on the system.
Problems with identity and access management comprised account management processes not always being obeyed, including the checking and maintenance of shared accounts. There were failures to get rid of inactive accounts and implement resets of active account passwords and to deactivate accounts in a timely way when workers were relocated or sacked.
The faults and vulnerabilities identified in the report are usual across the whole healthcare industry. The HHS’ Office for Civil Rights has fined HIPAA protected units for similar faults to those identified by OIG.
OIG has made a number of suggestions to the HSS to improve safety, processes, and procedures to further decrease risk and make sure conformity with FISMA. The HHS agreed with all of OIG’s suggestions and will work at applying more controls and updating its policies and procedures consequently.