HHS closes FISMA gaps, but cyber risks remain

The Department of Health and Human Services Inspector General released an audit by Ernst & Young that found HHS and its components had made progress implementing cybersecurity protections to conform to Federal Information Security Modernization Act standards, but that the agency has ample room for improvement.

The auditors found HHS hasn't fully implemented a department-wide continuous monitoring program that shows how it operating divisions address threats, implement strategies and report on cybersecurity metrics.  The report recommends additional work on vulnerability management, software assurance, information management, patch management, license management, event management, malware detection, asset management and network management.

The report also said HHS operating divisions did not consistently review, remediate or address risks from vulnerabilities found in configuration baseline compliance and vulnerability scans done through Security Content Automation Protocol tools.

Auditors found that three divisions were fielding IT systems with expired authority to operate certificates. More generally, the report found that all operating divisions need to do a better job of making sure hardware and software inventories are up to date.

The report noted that the five operating divisions failed to consistently implement account management procedures for shared accounts and personnel. Additionally, there were weaknesses found in controls of contactor systems. Two of the five HHS divisions did not maintain a complete inventory of contractor systems, and some external systems that maintained network connections with HHS systems did not have appropriate security documentation.

Taken together, the weaknesses "could potentially compromise the confidentiality, integrity, and availability of HHS’ sensitive information and information systems," the report warned.

The HHS OCIO has partially or fully concurred with all the recommendations, according to the report.