Compliance Management, Industry Regulations, Threat Management

GAO audit finds HHS information security program ‘not effective’

The Government Accountability Office found that the Department of Health and Human Services’ information security program is “not effective” based on the standards set by the Federal Information Security Modernization Act of 2014, according to HealthITSecurity.

Auditors from Ernst & Young, who evaluated the HHS program against applicable regulations, federal laws and guidance, found an improvement in the agency’s performance for the implementation of data exfiltration systems, configuration management controls and ongoing Authorization to Operate monitoring.

However, HHS was found to be lacking in the implementation of information security continuous monitoring across operating divisions, which provides the agency with reliable information for better decision making. The auditors identified key areas that the program was ineffective, including its identity, protect, detect, respond and recover function areas; contingency planning; and FISMA metric implementation.

GAO recommended for HHS to commit to implementing the previous HHS risk assessment results, continue improving its information security controls and cybersecurity program, and address deficiencies in its current maturity levels against the agency’s defined effective maturity for each of its cybersecurity framework’s function area.

Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.