The U.S. Department of Health and Human Services (HHS) has “significant” weaknesses in its information security, leaving its systems vulnerable to hackers who could gain access to the agency’s sensitive data, according to a report release yesterday by the U.S. Government Accountability Office (GAO) (download PDF)).
However, HHS officials disagree with the report, saying, in part, that the GAO based its report on outdated information.
“HHS and CMS [Centers for Medicare and Medicaid Services] in particular have significant weaknesses in electronic access controls and other information system controls designed to protect the confidentiality, integrity and availability of information and information system,” the GAO report said. “A key reason for these weaknesses is that the department has not yet fully implemented a department-wide information security program. As a result, HHS’s medical and financial information systems are vulnerable to unauthorized access, use, modification and destruction that could disrupt the department’s operations.”
The GAO analysis found that HHS did not consistently configure network services and devices securely to prevent unauthorized access and ensure the integrity of computer systems on its networks. In addition, the GAO identified weaknesses in the way HHS divisions and contractors restricted network access, managed antivirus software, configured network devices and protected information crossing department networks.
For example, according to the GAO:
- System administrative access isn’t always adequately restricted and unnecessary services are available on several network devices, increasing the risk that unauthorized individuals could gain access to the operating system;
- Antivirus software is not always installed or kept up to date on the divisions’ and contractors’ workstations, increasing the chance that viruses could infect system operations;
- Key network devices are not securely configured to prevent unauthorized individuals from gaining access to the internal network;
- And HHS’s operating divisions and contractors do not consistently patch their computer systems and network devices in a timely manner.
The report also said that HHS does not adequately control user accounts and passwords; gives some users access to more departmental information and medical systems than they need; and has not consistently audited and monitored security-related activity on their systems.
The GAO recommended that the HHS CIO take steps to fully implement key elements of the department’s information security program at all operating divisions.
But in a written response, Daniel Levinson, the HHS inspector general (IG), said that while the agency supports the GAO’s overall emphasis on improvements to its security program, it does not believe the report sufficiently reflects the agency’s recent progress in this area. HHS also said the GAO reviewed reports issued by the IG’s office in 2004 and 2005 but did not take into consideration an additional seven months’ work HHS has done to improve its information security.
“The evaluation approach utilized by the GAO does not provide an accurate or complete appraisal of the HHS enterprise-wide information security program,” Levinson said.