“What We Found
Overall, HHS continues to implement changes to strengthen its enterprisewide information security program. We identified opportunities where HHS can strengthen their overall information security program. HHS continues to work toward implementing a Department-wide Continuous Diagnostics and Mitigation program with the Department of Homeland Security. This should help HHS achieve a higher level of maturity for its information security program in subsequent years. Additionally, we identified weaknesses in the following areas: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning…”
“What We Recommend and HHS Comments
We recommend that HHS further strengthen its information security program. We made a series of recommendations to enhance information security controls at HHS, specific recommendations were also provided to the OPDIVs. HHS concurred with all of our recommendations and described the actions it is taking and plans to take to implement them. HHS also provided technical comments, which we addressed…” Read the full report here.
Source: Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2018 – April 2019. HHS OIG.