“The Department of Health and Human Services needs to fully develop its cybersecurity risk management strategy to include key elements from NIST guidance, according to a Government Accountability Office report.”
“GAO audited the cybersecurity risk management programs of 23 federal agencies to determine the establishment of key elements, the challenges these agencies faced in developing and implementing the program, and the steps the Office of Management and Budget and Homeland Security have taken to meet their responsibilities around these programs and the challenges agencies face.”
“The watchdog reviewed the polices and procedures and compared them to federal cybersecurity risk management practices and interviewed responsible agency officials. For HHS, its chief information officer is tasked as risk executive, responsible for the risk management framework tasks outlined in NIST.”
“According to the audit, there were several key issues in HHS risk management strategy. To start, HHS was one of 13 other federal agencies that did not address the need for an organization-wide risk assessment of cyber risks to be conducted and updated as part of its strategy…”
“This is just the GAO audit report to chastise the security program at HHS and follows a damning Senate report that outlines years of inadequate security. The most recent GAO audit named the Centers for Medicaid and Medicare Services’ systems the third-most critical legacy federal system.” Read the full article here.
Source: GAO: HHS Security Risk Management Strategy Lacks Key NIST Elements – By Jessica Davis, July 26, 2019. Health IT Security.
