[ISN] HHS rebuts GAO's security assessment

[InfoSec News]

http://govhealthit.com/article92719-03-23-06-Web

By Nancy Ferris
Mar. 23, 2006 

The Department of Health and Human Services and the Government
Accountability Office are at odds over a GAO report [1] that describes
HHS' information systems as vulnerable to hackers, identity thieves
and privacy breaches.

The report states that sensitive Medicare records could be lost or 
stolen because of numerous information security flaws. But the 
department's official response, sent by Inspector General Daniel 
Levinson, brags about HHS' progress, denies that the flaws are 
significant and states that GAO based its conclusions on outdated 
reports.

The 46-page GAO report, requested by Sen. Charles Grassley (R-Iowa), 
chairman of the Senate Finance Committee, states that "significant 
weaknesses in information security controls at HHS and at [HHS' 
Centers for Medicare and Medicaid Services] in particular put at risk 
the confidentiality, integrity and availability of their sensitive 
information and information systems."

Grassley issued a statement stating that "instead of firewalls to 
safeguard sensitive data, we have Swiss cheese. These agencies have to 
once and for all implement their data protection programs and put the 
security back into information security."

To prepare the report, GAO investigators reviewed reports issued in 
2004 and 2005 by Levinson’s office and outside auditors. But HHS 
responded that the auditors omitted a 2005 IG report showing the 
department had made substantial progress.

"The frequent use of the word "significant" to describe control 
weaknesses documented throughout this GAO assessment evokes a negative 
connotation that is not reflective of the progress or current state of 
HHS' information security program," according to the HHS response.

"HHS is proud of its information security program and the progress it 
has made over the last fiscal year," the response adds.

The GAO report cites deficiencies in almost every aspect of 
information security at HHS, including firewalls, intrusion-detection 
systems, security policies, training and passwords. Many of its 
criticisms are leveled at the contractors that process Medicare claims 
for CMS. For example, it says five of the contractors had no 
intrusion-detection systems in place.

CMS is reducing the number of Medicare claims processing contractors 
and data centers, partly to improve controls and data security.

But HHS did not escape criticism. In one case, an HHS agency used 
router and firewall logs for troubleshooting instead of for intrusion 
detection, the report states. 

The report called on HHS to implement a departmentwide information 
security program, in accordance with the Federal Information Security 
Management Act. HHS said that implementation is well under way.

[1] http://www.gao.gov/new.items/d06267.pdf