United States Department of Health & Human Services: Security Analysis Presentation

Introduction

• United states Department of Health & Human Services (HHS);
• Provision and protection of Americans’ health;
• Health facilities to the helpless;
• Government allocation to HHS;
• HHS association with other governmental agencies;
• Ensureing grants reach the affected people.
• HHS departments have different programs and tasks.
• Information security program.
• Data’s confidentiality and privacy.
• FISMA.
  • FISMA links the HHS’s budget to its performance.
  • FISMA helps in improving information security.

United states Department of Health & Human Services (HHS), is one of the United States government agency mandated with providing and protecting health among the Americans, especially the helpless.

The federal government has allotted about a quarter of its outlays to HHS Medicare and Medicaid insurance.

The Federal Information Security Management Act (FISMA) is designed to link the agency’s budget to its performance in improving information security

Among these programs, the information technology is fundamental in ensuring the confidentiality and privacy of the patients’ data (HHS, 2012b).

Objective of the study

• To improve data storage processes in organizations.
• To cite major HHS security challenges.
• To analyze HHS activities on information security.
• To recommend efficient data management to HHS.
• To avoid unlawful spreading of information.
• To assess cyber security in HHS.

Objectives of the Information Security Program in HHS

Overall objective to protect HHS information systems operations and assets.

General security objectives on the information:

• Confidentiality.
• Integrity.
• Availability.

Overall objective is to protect the information and systems that support the operations and assets of the agency.

Confidentiality –safeguarding authorized restrictions on information access and disclosure.

Integrity – Guarding against unauthorized information modification or destruction.

Availability – Ensuring timely and reliable access to and use of information.

Problem statement

• U.S health computerization program.
• Information loss by natural calamities.
• E.g. Katrina hurricanes led to destruction records.
• Health histories information retrieval.
• Federal government roles in health sector.
• Eased data retrieval and access.
• Information storage capacity.
• Hacking and data insecurity.
• HHS workers negligence.
• Unclear systems security role.
• Systems interconnection.
• EPLC roles.

Recently, U.S has tried to computerize the health sector to alleviate the cumbersome work done manually on the health records.

Unfortunately, much information could be lost due to natural calamities such as floods and earthquake, e.g. Katrina hurricanes led to destruction of health information records by water.

As a result, it was very hard to retrieve health histories of various patients hence complicating treatment process.

• As a result, the federal government had to computerize the health records program as well as other areas requiring data management.
• This eased information retrieval for quicker process in hospitals and other government supported health programs such as Medicare and Medicaid.
• Computerization keep large amount of information in very compact and secure data storage devices in computers (HHS, 2012a).
• Hacking software has increased insecurity of data stored in the computers (HHS, 2012a).
• Some workers in the HSS have directly or indirectly contributed to health information insecurity because of negligence (HHS, 2012a).

In the past, The role of securing systems belonged to someone else other than the IT Administrators .

The ever-changing risk environment brought about by the interconnection of systems in which all parties involved with systems during the EPLC have a role in securing them.

This raises new challenges to IT Administrators who are the first line of defense once systems are operational.

Information Security Programs at HHS

They are only two:

1. I.HHS Information Security Program (Cybersecurity Program).
2. II.OPDIV Information Security Programs

HHS Information Security Program (known as Cybersecurity Program) – this program strengthens HHS’ security posture across all OPDIVs as well as facilitating Departmental security reporting.

OPDIV Information Security Programs – OPDIV programs implements a security baseline related to the OPDIV mission and the HHS Cybersecurity Program.

Elements of Information Security Program

• Information Security Governance;
• System Security Planning (SSP);
• Integration of Information Security throughout the EPLC;
• Security Authorization;
• Security Awareness and Training;
• IT Contingency Planning (CP);
• Incident Response e.t.c.

These elements are outlined in the NIST SP 800-100, Information Security Handbook: A Guide for Managers.

HHS Policy and Practices

• Information technology resources in HHS.
• Roles of these policies in HHS.
• Assets protection.
• OPDIV CISOs and ISSOs, IT Administrators.
• Other cyber security practitioners.
• Department policy implementation.

HHS security policy protects all IT resources from unauthorized access, disclosure, modification, destruction or misuse.

The policy ensures confidentiality, integrity, availability, authenticity as well as protecting assets from theft, misuse, and unauthorized use.

OPDIV CISOs and ISSOs, IT Administrators, and other cyber security practitioners contribute in the implementation of Department policy.

HHS Policy Significant Deficiency

• Significant deficiencey.
• The roles of the POA&M.
• Weaknesses mitigations progress.

Critical Security Issues

• HHS system are at operations phase.
• Security controls, analysis, and testing.
• Security program confirms and verifies of changes.

A significant deficiency is a weakness in HHS’s overall information system security program, e.g. weakness discovered during an independent review or during assessment.

The POA&M report tracks the number of weaknesses identified at the start of the quarter of financial year.

Status change of the weaknesses, must be reflected in the next POA&M quarterly update.

The POA&M identifies who is responsible for mitigating the weakness as well as milestone dates for completion

The current situation in HHS has Most of the systems at HHS at the operations phase.

Security controls, analysis, and testing missed in life cycle

IT Administrators in HHS must catch up because security remains an ongoing assignment throughout all phases as illustrated below:

• Confirmation of security controls should be regularly monitored.
• To verify that any changes to the system or to the environment do not compromise of security controls.

The Challenge of Information Security

• Effects of security system failure at HHS.
• HHS’ IT professionals and their mission.
• Roles of the HHS’ IT professionals.
• Compliance requirements and system controls.
• Interrelationship of policy, people, procedures, and products.

Security compromise at HHS will:

• Affect most Americans.
• Tarnish HHS’ reputation.
• Broke Citizen/government trust.

HHS mission is protected through HHS’ information technology professionals who assure system security whereas IT Administrators observe compliance requirements and system controls.

HHS has a complex interrelationship that includes policy, people, procedures, and products.

Each element helps you to identify, control, and protect information from unauthorized use.

Vulnerabilities, Threats and Risks

• Information systems, people, environment are imperfect.
• Systems are vulnerable to misuse, accidents and manipulation.
• External threats to HHS programs.
• Internal threats to HHS programs.
• Effects of Vulnerability to HHS information security program.
• Data security in the HHS system.

1. Threats emanates from both internal and external sources to HHS.
2. External forces disrupt system, e.g hacker maliciously accessing or corrupting data, or an ordinary storm disrupting power and network access.
3. Internally, an employee can inappropriately change, delete, or use data.
4. A threat that exploits a vulnerability can allow information to be accessed, manipulated, deleted, or otherwise affected by those without the proper authority.
5. It may also prevent data or a system from being accessed.

Comments and Recommendations

Security Planning Policy and Procedures

• Poor program coordination in HHS.
• Reduce vulnerability by addressing system weaknesses.
• Information security not implemented in entire department.
• Unclear security success in HHS.
• Roles and responsibilities.
• Outdated organization reviews/updates security planning policy.

HHS has been very poor in coordinating the program as (GAO, 2006). HHS should address the weaknesses in their computer networks and system to reduce the vulnerability.

Scope fall under other than satisfied because HHS has not implemented information security in the entire department. Therefore, it cannot be clear where the security has been successful.

Roles and responsibilities in HHS are not clear whereas where present they are poorly implemented or misunderstood.

The organization reviews/updates security planning policy fall under other than satisfied because the time taken to update the database is too much (GAO, 2006). According to report released by GAO, the program cannot be effective because HHS has been reluctant in implementing a clear and comprehensive security program (GAO, 2006).

Security Awareness and Training Policy and Procedures

• Security awareness on HHS information security program.
• Training policy on HHS information security program.
• Less training and awareness on program implementation.
• The policies in HHS department.
• HHS has underdeveloped security awareness training and procedures.
• Poor training and program implementation.

HHS does not develop and formally documents security awareness and training policy . Indeed, there is less training and awareness on the implementation of the program, although the department has drafted the policies.

HHS does not develop or documents security awareness training and procedures based on poor training on the junior staffs on the implementation of the program.

Contingency Planning Policy and Procedures

• HHS plans and clients’ demand
• HHS need to have their information well stored
• Quick responses to security systems problems required.

System Maintenance Policy and Procedures

• HHS has poor systems and high insecurity.
• Maintenance policies and procedures are unclear
• Little efforts in training the employees on maintenance

HHS has been very focused in planning given the demand from its clients on the need to have their information well stored (Howard, 2011). However, the implementation has been poor (Howard, 2011).

As a result, HHS should step up their executives to ensure quick responses to security systems problems.

HHS scored very poorly because of poor systems and other significant issues on security.

The system is a failure and unless quick measures are taken, it could be disastrous in future (NIST, 2010).

Maintenance policies and procedures are not clear (NIST, 2010). Personnel mandated to maintain the HHP system has put little efforts in training the employees (NIST, 2010).

In addition, there has been little documented on the success of the system despite its importance.

Significant Personnel in information security in HHS

• Executives.
• Chief Information Officers (CIOs).
• Chief Information Security Officers (CISOs).
• Contracting Officer’s Technical Representatives (COTRs).
• IT Administrators.
• Privacy Officer among others.

Executives translate Federal policy into HHS policy and set the tone and direction of security initiatives.

Chief Information Officers (CIOs) are responsible for information security (IS) planning, budgeting, investment, performance, and acquisition.

Chief Information Security Officers (CISOs) develop enterprise or OPDIV standards for information security.

Contracting Officer’s Technical Representatives (COTRs) are responsible for some contract administration, such as the technical direction and acceptance.

IT Investment Board manages capital planning and investment control process, as defined by the Clinger-Cohen Act.

Program Managers/System Owners represent programmatic and mission interests during acquisition process and are intimately familiar with function system requirements.

Privacy Officer ensures services or systems being procured meet privacy policy and requirements.

Legal Advisor/Contract Attorney advises on legal issues during the acquisition process.

IT Administrators manage the daily operations and maintenance of an information system.

Further Recommendations

• Implement intrusion detection systems.
• Configure the system for consistent detection and reporting.
• Review remedial action plans.
• To conduct tests and evaluations.
• Complete system security plans for systems.
• Develop and implement policies and procedures.

The Secretary of HHS should direct the Chief Information Officer (CIO) to ensure that operating divisions implement intrusion detection systems and configure them to use consistent criteria for the detection and reporting of security incidents and events.

CIO should ensure that operating divisions review remedial action plans to ensure that they address all previously identified weaknesses and key corrective action information.

CIO should ensure that operating divisions conduct tests and evaluations of the effectiveness of controls on operational systems, and document results.

CIO should ensure that operating divisions complete system security plans for all systems.

CIO should develop and implement policies and procedures to ensure the establishment of minimum acceptable configuration requirements (GAO, 2006).

Health Insurance Portability and Accountability Act (HIPAA)

• HIPAA awareness among IT administrator.
• HIPAA reviews on operations and functionality.

HIPAA is the Health Insurance Portability and Accountability Act. IT Administrators working with medical records systems need to be very aware of HIPAA, as people conducting HIPAA reviews may ask them questions about system operations and functionality.

References

GAO. (2006). Information Security department Of Health and Human Services Needs To Fully Implement Its Program. Web.

HHS. (2012a). About HHS. Web.

HHS. (2012b). Information Security and Privacy Program: HHS Cyber security Program – Leadership for IT Security & Privacy across HHS. Web.

Howard, P. D. (2011). FISMA Principles and Best Practices: Beyond Compliance. Florida: Auerbach Publications.

NIST. (2010). Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans. Gaithersburg, MD: Computer Security Division Information Technology Laboratory National Institute of Standards and Technology.