Some of the Health Resources and Services Administration’s information security controls have not been fully implemented or monitored, according to an audit by the Department of Health and Human Services Office of the Inspector General.

HRSA is the primary agency within the Department of Health and Human Services for improving access to healthcare. As OIG points out in its report, HRSA is an “information-intensive” organization and the management of its IT resources is essential for achieving agency goals. OIG reviewed controls over inventory management, patch management, antivirus management, event management, logical access, encryption, configuration management, web vulnerability management, and Universal Serial Bus port control management.

Also See: HHS OIG to Study Meaningful Use Payments and EHR Security

What auditors found was that:

*IT asset inventory management did not track and manage IT inventory effectively.

*Patch management controls were not implemented and monitored effectively. HRSA had vulnerabilities that, if exploited, could have allowed unauthorized disclosure, modification, or unavailability of critical data.

*Antivirus management did not monitor the antivirus status of HRSA-managed assets effectively.

*Encryption did not consistently apply encryption policies.

*And, USB port control access did not have any policies or procedures to effectively secure USB ports.

While the public report does not include specific details of the vulnerabilities identified, auditors did provide more detailed information and recommendations to HRSA so that it can address the specific shortfalls.

In written comments to OIG, HRSA concurred with 17 of 18 recommendations and partially concurred with one recommendation and described actions it has taken and plans to take to implement them.

The full OIG report can be found here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access