Summary
The Department of Health and Human Services (HHS) is the nation's largest health insurer and the largest grant-making agency in the federal government. HHS programs impact all Americans, whether through direct services, scientific advances, or information that helps them choose medical care, medicine, or even food. For example, the Centers for Medicare & Medicaid Services (CMS), a major operating division within HHS, is responsible for the Medicare and Medicaid programs that provide care to about one in every four Americans. In carrying out their responsibilities, both HHS and CMS rely extensively on networked information systems containing sensitive medical and financial information. GAO was asked to assess the effectiveness of HHS's information security program, with emphasis on CMS, in protecting the confidentiality, integrity, and availability of its information and information systems.
HHS and CMS have significant weaknesses in controls designed to protect the confidentiality, integrity, and availability of their sensitive information and information systems. HHS computer networks and systems have numerous electronic access control vulnerabilities related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security-related events. In addition, weaknesses exist in other types of controls designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software. All of these weaknesses increase the risk that unauthorized individuals can gain access to HHS information systems and inadvertently or deliberately disclose, modify, or destroy the sensitive data that the department relies on to deliver its vital services. A key reason for these control weaknesses is that the department has not yet fully implemented a departmentwide information security program. While HHS has laid the foundation for such a program by developing and documenting policies and procedures, the department has not yet fully implemented key elements of its information security program at all of its operating divisions. Specifically, HHS and its operating divisions have not fully implemented elements related to (1) risk assessments, (2) policies and procedures, (3) security plans, (4) security awareness and training, (5) tests and evaluations of control effectiveness, (6) remedial actions, (7) incident handling, and (8) continuity of operations plans. Until HHS fully implements a comprehensive information security program, security controls may remain inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and controls may be inconsistently applied. Such conditions may lead to insufficient protection of sensitive or critical resources and disproportionately high expenditures for controls over low-risk resources.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6244
Recommendations for Executive Action
Recommendation: To help HHS fully implement its departmentwide information security program, the Secretary of HHS should direct the Chief Information Officer to develop and implement policies and procedures to ensure the establishment of minimum acceptable configuration requirements.
Agency Affected: Department of Health and Human Services
Status: In process
Comments: The Department of Health and Human Services, in response to our recommendation, as of July 2006, has developed ten minimum security configuration standards that must be implemented on applicable systems. The minimum configurations are reviewed on an annual basis and updated. GAO has not yet verified these actions.
Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions develop comprehensive risk assessments that address key elements.
Agency Affected: Department of Health and Human Services
Status: In process
Comments: The Department of Health and Human Services (HHS), in response to our recommendation, as of FY 2007, has required all system certification and accreditation (C&A) packages to include risk assessments, consistent with the National Institute of Standards and Technology's Special Publication 800-37. HHS has also developed and fully implemented an enterprise-wide C&A checklist. GAO has not yet verified these actions.
Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions complete system security plans for all systems.
Agency Affected: Department of Health and Human Services
Status: In process
Comments: The Department of Health and Human Services (HHS), in response to our recommendation, as of FY 2007, has required all system certification and accreditation (C&A) packages to include a detailed system security plan, consistent with the National Institute of Standards and Technology's Special Publication 800-18. HHS has also developed and fully implemented an enterprise-wide C&A checklist. GAO has not yet verified these actions.
Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions provide specialized training to all individuals with significant security responsibilities.
Agency Affected: Department of Health and Human Services
Status: In process
Comments: The Department of Health and Human Services (HHS), in response to our recommendation, as of FY 2006, has reported that 99 percent of employees with significant security responsibilities have been trained. A training sub-committee continues to identify tracking mechanisms for training, and to identify curricula. GAO has not yet verified these actions.
Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions conduct tests and evaluations of the effectiveness of controls on operational systems, and document results.
Agency Affected: Department of Health and Human Services
Status: In process
Comments: The Department of Health and Human Services (HHS), in response to our recommendation, as of FY 2007, has required all system certification and accreditation (C&A) packages to include an initial and thorough security control test and evaluation (ST&E), with documented results. HHS tracks completion of ST&Es at the enterprise and division levels. GAO has not yet verified these actions.
Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions review remedial action plans to ensure that they address all previously identified weaknesses and key corrective action information.
Agency Affected: Department of Health and Human Services
Status: In process
Comments: The Department of Health and Human Services (HHS), in response to our recommendation, as of FY 2007, has implemented quarterly compliance review and continuous monitoring to provide a qualitative assessment of weaknesses described in plans of action and milestones. HHS uses an automated tool to track all weaknesses and ensure that they are reviewed for completeness prior to their quarterly submission to OMB. GAO has not yet verified these actions.
Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions implement intrusion detection systems and configure them to use consistent criteria for the detection and reporting of security incidents and events.
Agency Affected: Department of Health and Human Services
Status: In process
Comments: The Department of Health and Human Services (HHS), in response to our recommendation, as of FY 2007, has implemented security intrusion detection monitors throughout its enterprise. Additionally, HHS provides detailed, real-time alerts to security staff and management, as well as a consolidated view of the security posture of the entire enterprise. GAO has not yet verified these actions.
Recommendation: The Secretary of HHS should direct the Chief Information Officer to ensure that operating divisions develop and test continuity of operations plans for all of their systems.
Agency Affected: Department of Health and Human Services
Status: In process
Comments: The Department of Health and Human Services (HHS), in response to our recommendation, as of FY 2007 has reported that over 99 percent of systems have fully developed and tested contingency plans. GAO has not yet verified these actions.
