Introduction
The Department of Health and Human Services (HHS) is the agency aimed at protecting health of American citizens and helping those who are unable to help themselves. According to the company’s website, HHS performs “a wide variety of tasks and services, including research, public health, food and drug safety, grants and other funding, health insurance, and many others” (HHS.gov, 2010). HHS sets the following goals for the next five years, “transform health care”, “advance scientific knowledge and innovation”, “advance the health, safety, and well-being of the American people”, “increase efficiency, transparency, and accountability of HHS Programs”, “strengthen the nation’s health and human services infrastructure and workforce” (HHS.gov, 2010). These goals can be achieved only in case of proper information security. HHS cares deeply about information security and implements a security program based on the policies.
Survey of HHS Information Security Programs
To revise the HHS information security system, the following issues should be considered in detail.
- Policy. HHS has eight IT security and privacy policies directed at protecting different kinds of information. The security programs are guided by the following policies, Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response (2010), HHS-OCIO Policy for Machine-Readable Privacy Policies (2010), HHS-OCIO Policy for Information Systems Security and Privacy (2010), Policy for Privacy Impact Assessments (2009), Policy for Responding to Breaches of Personally Identifiable Information (2008), HHS IRM Policy for the Prevention, Detection, Removal and Reporting of Malicious Software (2001), and HHS IRM Policy for IT Security for Remote Access (2001). The information security program is guided by the Office of the Chief Information Officer. Working with people in the health care field, the information security is a priority (Information security, 2006). The responsibilities of the Chief Information Officer are not limited to, but strictly directed at implementing and controlling HHS information security. Acquisition of systems and services, asset management, and audit and accountability are issues Chief Information Officer should decide as a priority goal. The software and hardware were bought as the information security is based on them. Chief Information Officer is also responsible for compliance management, as the implementation of the security program is not the final stage of security program. Control is central and the proper completion of this function may lead to successful planning and information security performance (HHS-OCIO policy for information systems security and privacy, 2010).
- Authentication and authorization. To eliminate the cases of unauthorized access to the information, electronic controls are implemented. The main idea of the electronic controls is to cover the network management by means of user account and passwords. Chief Information Officer is responsible for auditing and monitoring security-related events. A failure to implement electronic control effectively makes the system weak and ineffective (Information security, 2006).
- Business Continuity. HHS has to develop plans and procedures to make sure that the business continuity is on the appropriate level. Business continuity of operations for information systems is practically absent for now.
- Configuration. The policies developed for the HHS information security programs are aimed at implementing the standards and performing controlling functions, still, minimally acceptable configuration requirements have not been developed.
- Control Data. Having revised policies and GAO report it can be concluded that data flows are not controlled in the organization.
- Hardware. HHS possesses necessary hardware for implementing controlling system (Information security, 2006).
- Media Protection & Destruction. HHS points to the possibility of remote access to the information via telework tool. But, weak software protection cannot guarantee safe remote access (HHS IRM Policy for IT Security for Remote Access, 2001).
- Planning. HHS plans for improving the information technology resources protection are completed in accordance with government guidelines. HHS objectives are aimed at revising the existing system of information security and after thorough analysis set new objectives for implementation.
- Physical Environment. According to HHS policies, physical access to the rooms with computer resources is limited to authorized personnel. However, the access to those rooms can be available to other people in practice. The lack of security in physical environment reduces reliability of the information security (Information security, 2006).
- Risk Assessments. HHS information security program does not possess risk assessments, therefore, it should develop comprehensive issues which are going to address the key elements.
- Software. Electronic controls are implemented as user accounts with passwords.
- Training. HHS reported about implemented training programs, however, a research shows that “employees with significant security related responsibilities had not received specialized security training ” (Information security, 2006, p. 20) that leads to the reduction of the information security properties of the programs.
Conclusion
Having considered the information security program of HHS, it can be concluded that there is much to be done in order to make it ideal, reliable and really secure. Having good hardware and software basis, HHS has not trained personnel accordingly to make those be able to use the system appropriately. Having the policies which are directed at implementing the rules for incident management, electronic control, information systems security and privacy, personally identifiable information, prevention of cyber-attacks, and IT security for remote access, HHS fails to implement those policies in a proper way. HHS has the following problems in the relation to information security, “risk assessments, policies and procedures, security plans, security awareness and training, tests and evaluations of control effectiveness, remedial actions, incident handling, and continuity of operations plans” (Information security, 2006, p. 1) which can be solved by means of following the policies strictly.
Reference List
HHS IRM policy for IT security for remote access. (2001). Office of Information Resource Management. HHS-IRM-2000-0005.
HHS IRM policy for the prevention, detection, removal and reporting of malicious software. (2001). Office of Information Resource Management. HHS-IRM-2000-0007.
HHS.gov: U.S. Department of Health & Human Services (2010). Web.
HHS-OCIO policy for information systems security and privacy. (2010). Office of Information Resource Management. HHS-OCIO-2010-0006.
HHS-OCIO policy for machine-readable privacy policies. (2010). Office of Information Resource Management. HHS-OCIO-2010-0001.
Information security: Department of Health and Human Services needs to fully implement its program. (2006). GAO.
Policy for information technology (IT) security and privacy incident reporting and response. (2010). Office of Information Resource Management. HHS-OCIO-2010-0004.
Policy for privacy impact assessments (PIA). (2009). Office of Information Resource Management. HHS-OCIO-2009-0002.
Policy for responding to breaches of personally identifiable information (PII). (2008). Office of Information Resource Management. HHS-OCIO-2008-0001.003.