Is Your Entity More Secure than HHS?Experts: Gov Security Flaws Also Common in Private Sector
The Department of Health and Human Services has experienced at least five "unsophisticated" data breaches at its various agencies over the past three years, says a new report from a Congressional panel. And HHS also has a variety of other information security deficiencies, including at the Office for Civil Rights, which oversees HIPAA enforcement.
But some of these government security flaws are also often common problems for private-sector healthcare organizations, say some privacy and security experts.
For instance, CIO-CISO hierarchy-type issues at HHS can also pose problems at private entities. "The overwhelming majority of CISOs report either directly to, or through someone, to the CIO," says Mac McMillan, CEO of security consulting firm CynergisTek. "However, their voice is only as loud as the CIO allows it."
The report by the Republican majority staff of the House Committee on Energy and Commerce, issued on Aug. 6, was spurred by a breach reported by the Food and Drug Administration in late 2013, which affected 14,000 individuals (see FDA Breach Raises Lawmakers' Hackles).
During the panel's investigation into the FDA's information security practices, committee staff become aware of several other information security incidents at FDA and other HHS operating divisions, the report states.
Besides the FDA, other breached HHS divisions include Health Resources and Services Administration, National Institutes of Health, Centers for Medicare and Medicaid Services, Substance Abuse and Mental Health Services Administration, and Indian Health Services.
"The unsophisticated nature of the attacks used against FDA, HRSA, NIH, CMS, IHS, and SAMHSA, as well as the susceptibility of their networks to them, calls into question the adequacy of information security at HHS and its operating divisions," the report says. "The committee's investigation has led committee staff to conclude that a significant weakness exists within the information security programs of these operating divisions and of HHS itself."
OCR, which oversees HIPAA enforcement activities at HHS, is among agencies that have various information security-related weaknesses, the report says.
The committee study notes that a November 2013 audit of OCR by HHS Office of Inspector General found "OCR management focused on the operability of the systems . . . and did not focus on securing the systems used to store, retrieve, process, and track HIPAA Security Rule oversight and enforcement data.
"OCR's focus on operational concerns over security concerns, as noted by OIG, places that data at increased risk of exposure or misuse."
As the committee investigated the various security incidents, several themes emerged that potentially contribute to weaknesses in HHS information security, the report notes.
For example, the committee report states:
- Audits of information security at two HHS operating divisions were constrained due to operational concerns and incompleteness. In both cases, the CIO-CISO hierarchy prevented the CISO from requiring full system audits;
- HHS information security officials are not always permitted full visibility into their own networks as a result of their relationship with agency contractors, who may own and operate portions of agency networks;
- Two information security breaches at two different operating divisions resulted from misconfigurations. A separate breach resulted from a missing "critical" software patch. "These incidents raise questions about whether information security officials have the appropriate level of expertise;"
- The information security officials at one operating division misidentified a list of hacker aliases as a list of security vulnerabilities;
- Officials at two operating divisions were unable to provide accurate information about security incidents within their own networks.
"The tendency to subordinate security concerns to operational concerns stems from the organizational relationship and division of authorities between the CIO and the CISO," the report says. "Currently, the top agency official for information security at HHS is the CIO."
HHS did not immediately respond to an Information Security Media Group request for comment on the report.
Same Issues in Private Sector?
As security and privacy experts reviewed these findings, they saw common flaws in private-sector healthcare entities.
For instance, issues relating to CIO-CISO hierarchy also are widespread, says Tom Walsh, founder of his own security consulting firm.
"We sometimes refer to this as, 'the fox guarding the hen house,'" he says. "In some organizations, information security reports to other departments, such as compliance, legal, etc. There are pros and cons to both arrangements. Mainly depends on the personalities involved and whether the CISO has influence."
Also, the information security reporting structure varies widely in healthcare, notes Keith Fricke, a principal consultant at tw-Security. "There are debates about whether information security should report to parts of the org chart other than IT. Some say there are conflicts of interest in having information security report up to the CIO. Others say that keeping information security within IT can foster collaborative relationships rather than adversarial ones."
Another problem is that not all CISOs are equally qualified for the job, McMillan notes. "Many of the CISOs, or the individuals wearing the CISO title, also lack either the experience or the training to function effectively, or it is a secondary duty for someone," he says. "Both situations could contribute to greater risk of breach."
Another common problem at many private sector healthcare organizations is being "unable to provide accurate information about security incidents within their own networks," Walsh says. That's often due to a lack of documentation, he says. "IT people don't like to document things. Many times they are just so busy trying to address the incident and return the organization back to normal operations, incidents go undocumented."
One of the most critical flaws at HHS cited by the committee report is "breaches ... resulted from misconfigurations," Walsh says. "That's more of a patch management/vulnerability management issue. Those are operational breakdowns and not necessarily the fault of the CISO," he says. However, that issue "is the most serious" because it could potentially lead to a significant breach.
McMillan says he's most concerned with the committee's finding that HHS information security officials were not always permitted full visibility into their networks, due to arrangements with agency contractors. "Any time there are constraints on the ability of the security team to investigate, test or review the environment to detect potential areas of risk, the threat of a successful breach - and more importantly an undetected breach leading to compromise - rises considerably."
The committee report notes that HHS and each of its affected operating divisions addressed the individual vulnerabilities that led to each cyber incident detailed in this report. "However, they did not implement any major policy or structural reforms to address the systemic tensions within HHS's information security program," the report notes. "These systemic tensions stem primarily from the inherent subordination of security to operations that the current CIO-CISO organizational structure creates."
To better account for and balance these concerns, the report recommends that that HHS organizational structure be reformed.
Specifically, the report suggests that:
- CISOs should be designated as the primary authority responsible for information security at HHS and its operating divisions, and all information security responsibilities currently assigned to the CIO should be officially transferred to the CISO;
- The HHS Office of the CISO, including all functions, personnel, assets, and liabilities, should be removed from the Office of the CIO and relocated to the Office of the General Counsel;
- The Office of the CISO for each HHS operating division, including all functions, personnel, assets, and liabilities, should be removed from the Office of the CIO and relocated to the operating division's Office of the Chief Counsel.
Healthcare organizations - including HHS - can address many of these security issues "the same way they have been addressed in other industries that face similar risks," McMillan says.
That includes establishing the chief security officer role as a senior member of the health system staff, and empower that individual to oversee all security-related operations to ensure appropriate collaboration among physical, logical, operational and administrative security activities, he says. Also, "eliminate the stove-pipes between security disciplines and key programs like biomedical engineering," he adds.
Getting the top levels of leadership to understand an organization's information security challenges also helps, Fricke says. "Board-level interest and visibility is helping information security programs gain the traction those programs need" at some entities, he notes.