ICYMI: HHS Information Security Deficiencies

House Energy and Commerce Committee Chairman Fred Upton (R-MI) and Oversight and Investigations Subcommittee Chairman Tim Murphy (R-PA) last week released the findings of a yearlong investigation into the information security practices at the Department of Health and Human Services. The investigation found numerous deficiencies with HHS’ information security protocols that stem from a poorly-structured information security regime.

The report recommends solutions to better secure sensitive systems and information at HHS and its operating divisions, including making the Chief Information Security Officer the “primary authority for information security” and moving all information security functions (including the CISO) to the general or chief counsel’s office. To read the report, click here.

More on the report from the Washington Times, The Hill, and Federal News Radio, below.

WashingtonTimes, August 7, 2015 - HHS hacked five times in three years, House committee says… In a report published Thursday, the House of Representatives Committee on Energy and Commerce announced that an investigation into a security breach suffered by the Food and Drug Administration in 2013 revealed that several subsets within HHS had been compromised by hackers.

“What we found is alarming and unacceptable,” committee Chairman Fred Upton, Michigan Republican, and Oversight and Investigations Subcommittee Chairman Tim Murphy, Pennsylvania Republican, said in a joint statement. “At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack.”

The 27-page review of HHS information security found that five operating divisions had been breached using unsophisticated means within the past three years, including the FDA.

“Of concern to the committee,” the report reads, “officials at the affected agencies often struggled to provide accurate, clear and sufficient information on the security incidents” during the course of their investigation. …

According to the committee, officials at two breached agencies were unable to provide accurate details about security incidents within their own networks.

“These incidents raise questions about whether information security officials have the appropriate level of expertise,” the report reads.

“While it is impossible to fully protect against cyber attacks, we have a responsibility to approach these issues with necessary foresight and diligence to minimize vulnerabilities and maximize security,” Upton and Murphy said. …Read the full article online HERE.

The Hill, August 7, 2015 - HHS hacked five times in three yearsHackers have breached at least five divisions of the Department of Health & Human Services (HHS) over the last three years.

That's according to the House Energy & Commerce Committee, which on Thursday released its findings from a yearlong look into the security of HHS networks ….

The committee launched the security review after the Food and Drug Administration (FDA), a department within HHS, suffered a breach in late 2013 that exposed account details on more than 14,000 people. …

“Of concern to the committee, officials at the affected agencies often struggled to provide accurate, clear and sufficient information on the security incidents during the committee’s investigation,” the report said.

In some cases, the confusion may have resulted from information security workers not being given the right authorities. …

In other cases, offices were poorly organized or simply made mistakes. …Read the full article online HERE.

Federal News Radio, Aug 7, 2015 - House panel: HHS’ lawyers could secure IT networks better than its CIOsChief information officers are so concerned with operating IT networks that they skimp on cybersecurity, according to a congressional investigation of multiple data breaches at the Health and Human Services Department.

The report, by Republicans on the House Committee on Energy and Commerce, concludes that agency lawyers, who are trained to minimize risks, would do a better job of safeguarding IT networks. ...

“What we found is alarming and unacceptable. At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack. With the recent Office of Personnel Management attack serving as another example of how wrong things can go, this report pulls back the curtain and sheds light on serious deficiencies in HHS’s information security practices,” said Committee Chairman Fred Upton (R-Mich.) and Rep. Tim Murphy (R-Pa.) in a joint statement.

By law, chief information security officers (CISO) now are part of CIO offices. But the two roles have different priorities. CIOs want network operations to run smoothly. Security concerns — the purview of CISOs — may delay or slow down those operations.

When there is a conflict between the two, “operational needs are prioritized and security concerns downplayed, delayed or ignored,” the report said. …

The committee recommended that HHS strip its CIOs of all security-related responsibilities. CISOs would move from the CIO offices to those of the general counsel. ...

“We look forward to working with HHS, FDA, NIH, and others to develop solutions to better protect this information. Unfortunately, the bar has been set low and we have nowhere to go but up,” Upton and Murphy said in their written statement.Read the full article online HERE.

---

Tags: Health and Human Services, HHS, Information Security, deficiencies, news sources, House Energy and Commerce Committee To share or post to your site, click on "Post Link". Please mention / link to the ARRA News Service. and "Like" Facebook Page - Thanks!