HHS Information Security Program Deemed ‘Not Effective’

Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

There was unfortunately some bleak news out of the Department of Health & Human Services, (HHS) Office of the Inspector General (OIG) recently. The OIG recently released the results of a performance audit of the HHS’ compliance with the Federal Information Security Modernization Act of 2014 (FISMA). The OIG Report states that FISMA requires that there be an annual independent evaluation of the information security program and practices of the agency to determine the effectiveness of such program and practices.

Although the report concluded that there were some improvements over previous years, the audit concluded that HHS’ information security program was ‘Not Effective.’

In the crucial area of data protection and privacy, the report outlined the following findings:

  • The Department did not document their review and updates for the guidance associated with the privacy based risk assessments to reflect the current environment.
  • One Operating Division’s guidance and requirements to address data protection and privacy controls was not updated within two years as required by HHS.
  • Security requirements outlined in privacy impact assessments were outdated or incomplete.

The findings also included comments in the Data Protection and Privacy section of the Report that indicated that there were weaknesses in the security controls for protecting personally identifiable information (PII) and other agency sensitive data throughout the data lifecycle. A final recommendation regarding data protection and security, which HHS concurred with, was that HHS must update relevant Department policies, procedures, and guidance and also work with the Operating Divisions to measure the effectiveness of privacy specific controls and trainings.

Given the enormous amount of personal information and health information that the federal government has in its possession, the risk and unfortunate likelihood of a data breach, and the value of that personal and health data, the federal government, and HHS in particular, must make necessary improvements to its data privacy and security measures.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide