Audit Shows Information Security Controls at HRSA Lacking
Some of the Health Resources and Services Administrations information security controls have not been fully implemented or monitored, according to an audit by the Department of Health and Human Services Office of the Inspector General.
Some of the Health Resources and Services Administrations information security controls have not been fully implemented or monitored, according to an audit by the Department of Health and Human Services Office of the Inspector General.
HRSA is the primary agency within the Department of Health and Human Services for improving access to healthcare. As OIG points out in its report, HRSA is an information-intensive organization and the management of its IT resources is essential for achieving agency goals. OIG reviewed controls over inventory management, patch management, antivirus management, event management, logical access, encryption, configuration management, web vulnerability management, and Universal Serial Bus port control management.
Also See: HHS OIG to Study Meaningful Use Payments and EHR Security
What auditors found was that:
*IT asset inventory management did not track and manage IT inventory effectively.
*Patch management controls were not implemented and monitored effectively. HRSA had vulnerabilities that, if exploited, could have allowed unauthorized disclosure, modification, or unavailability of critical data.
*Antivirus management did not monitor the antivirus status of HRSA-managed assets effectively.
*Encryption did not consistently apply encryption policies.
*And, USB port control access did not have any policies or procedures to effectively secure USB ports.
While the public report does not include specific details of the vulnerabilities identified, auditors did provide more detailed information and recommendations to HRSA so that it can address the specific shortfalls.
In written comments to OIG, HRSA concurred with 17 of 18 recommendations and partially concurred with one recommendation and described actions it has taken and plans to take to implement them.
The full OIG report can be found here.
HRSA is the primary agency within the Department of Health and Human Services for improving access to healthcare. As OIG points out in its report, HRSA is an information-intensive organization and the management of its IT resources is essential for achieving agency goals. OIG reviewed controls over inventory management, patch management, antivirus management, event management, logical access, encryption, configuration management, web vulnerability management, and Universal Serial Bus port control management.
Also See: HHS OIG to Study Meaningful Use Payments and EHR Security
What auditors found was that:
*IT asset inventory management did not track and manage IT inventory effectively.
*Patch management controls were not implemented and monitored effectively. HRSA had vulnerabilities that, if exploited, could have allowed unauthorized disclosure, modification, or unavailability of critical data.
*Antivirus management did not monitor the antivirus status of HRSA-managed assets effectively.
*Encryption did not consistently apply encryption policies.
*And, USB port control access did not have any policies or procedures to effectively secure USB ports.
While the public report does not include specific details of the vulnerabilities identified, auditors did provide more detailed information and recommendations to HRSA so that it can address the specific shortfalls.
In written comments to OIG, HRSA concurred with 17 of 18 recommendations and partially concurred with one recommendation and described actions it has taken and plans to take to implement them.
The full OIG report can be found here.
More for you
Loading data for hdm_tax_topic #reducing-cost...