Department of Health and Human Services (HHS)
This report focuses on HHS, one of the United States government agency mandated with providing and protecting health among the Americans, especially the helpless. The federal government has allotted about a quarter of its outlays to HHS Medicare and Medicaid insurance. As a result, this agency works with other governmental agencies to ensure grants are provided to help the affected people (HHS, 2012b). In addition, the agency has many departments that are assigned different programs and tasks. Among these programs, the information technology is fundamental in ensuring the confidentiality and privacy of the patients’ data (HHS, 2012b).
Objective of the study
Based on the significance of the personal privacy especially the health information, this report was prepared to address various issues that could improve the data storage processes by health provider. The report was prepared to meet the following objectives:
- To point out the major challenges face by HHS in their attempts to maintain high security on health information.
- To study the activities carried out by HHS on information security.
- To recommend the possible ways to alleviate poor data management and unlawful spreading of personal information.
- Lastly, the study was primarily conducted to assess the cyber security in HHS
Problem statement
In the recent past, the United States has been very active in effecting technology in the health sector. This was in the efforts to alleviate the cumbersome work done manually on the health records. It emerged pathetic when much information could be lost because of natural calamities such as floods and earthquake. Cases such as the Katrina hurricanes led to destruction of health information because many records were destroyed and swept away by water. As a result, it was very hard to retrieve health histories of various patients hence complicating treatment process.
To rescue the situation, the federal government has been very eager to computerize the health records program as well as other areas requiring data management. The move was meant to ease the information retrieval for quicker process in hospitals and other government supported health programs such as Medicare and Medicaid. In addition, computerization of the health program is fundamental in keeping large amount of information in very compact and secure data storage devices in computers (HHS, 2012a).
However, the evolution of computer software has come up with both advantages and disadvantages as hacking has become disastrous hence increasing insecurity of data stored in the computers (HHS, 2012a). More so, some workers in the HSS have been directly or indirectly contributed to health information insecurity because of negligence (HHS, 2012a).
The assessment process and report
- Family: Strategic Planning
- Class: Management
Security Planning Policy and Procedures – SPL-1
SPL-1.1 Assessment Objective
Determine if:
- the organization develops and formally documents security planning policy (O)
- the organization security planning policy addresses:
- purpose; (S)
- scope; (O)
- roles and responsibilities; (O)
- management commitment; (S)
- coordination among organization entities; and (S)
- compliance (S)
- the organization develops and documents security planning procedures (S)
- the organization disseminates documented security planning policy within the organization (S)
- the organization reviews/updates security planning policy (O)
Comments and Recommendations:
SPL-1.1 (i) the HHS has been very poor in coordinating the program as GAO concluded in their report. Indeed, HHS should address the weaknesses in their computer networks and system to reduce the vulnerability.
SPL-1.1 (ii) scope fall under other than satisfied because HHS has not implemented information security in the entire department. Therefore, it cannot be clear where the security has been successful.
SPL-1.1 (ii) Roles and responsibilities in HHS are not clear whereas where present they are poorly implemented or misunderstood.
SPL-1.1 (v) the organization reviews/updates security planning policy fall under other than satisfied because the time taken to update the database is too much (GAO, 2006). According to report released by GAO, the program cannot be effective because HHS has been reluctant in implementing a clear and comprehensive security program (GAO, 2006).
Security Awareness and Training Policy and Procedures – AT-1
AT-1.1 Assessment Objective
Determine if:
- the organization develops and formally documents security awareness and training policy (O)
- the organization security planning policy addresses:
- purpose; (S)
- scope; (S)
- roles and responsibilities; (S)
- management commitment; (S)
- coordination among organization entities; and (S)
- compliance (S)
- the organization develops and documents security awareness training and procedures (O)
- the organization disseminates documented security awareness and training policy within the organization (S)
- the organization reviews/updates security awareness and training policy (S)
Comments and Recommendations:
AT-1 (i) this is under other than satisfied because although the department has drafted the policies, there is less training and awareness on the implementation of the program.
AT-1 (iii) it also fall in other than satisfied because there has barely not training on the junior staffs on the implementation of the program.
- Family: Awareness and Training
- Class: Health
Contingency Planning Policy and Procedures – CP-1
CP-1.1 Assessment Objective
Determine if:
- the organization develops and formally documents contingency planning policy (S)
- the organization contingency planning policy addresses:
- purpose; (S)
- scope; (S)
- roles and responsibilities; (S)
- management commitment; (S)
- coordination among organization entities; and (S)
- compliance (S)
- the organization develops and documents contingency planning procedures (S)
- the organization disseminates documented contingency planning policy within the organization (S)
- the organization reviews/updates contingency planning policy (S)
Comments and Recommendations:
HHS has been very focused in planning given the demand from its clients on the need to have their information well stored (Howard, 2011). However, the implementation has been poor (Howard, 2011).
- Family: Contingency Planning
- Class: Health
System Maintenance Policy and Procedures – MA-1
MA-1.1 Assessment Objective
Determine if:
- the organization develops and formally documents system maintenance policy (O)
- the organization system maintenance policy addresses:
- purpose; (O)
- scope; (O)
- roles and responsibilities; (O)
- management commitment; (O)
- coordination among organization entities; and (O)
- compliance (O)
- the organization develops and documents system maintenance policy and procedures (O)
- the organization disseminates documented system maintenance policy within the organization (O)
- the organization reviews/updates system maintenance policy (O)
Comments and Recommendations:
The system is a failure and unless quick measures are taken, it could be disastrous in future (NIST, 2010). Maintenance policies and procedures are not clear (NIST, 2010). Personnel mandated to maintain the HHP system has put little efforts in training the employees (NIST, 2010). In addition, there has been little documented on the success of the system despite its importance.
- Family: Maintenance
- Class: Health
References
GAO. (2006). Information Security department Of Health and Human Services Needs To Fully Implement Its Program.
HHS. (2012a). About HHS. Web.
HHS. (2012b). Information Security and Privacy Program: HHS Cyber security Program – Leadership for IT Security & Privacy across HHS. Web.
Howard, P. D. (2011). FISMA Principles and Best Practices: Beyond Compliance. Florida: Auerbach Publications.
NIST. (2010). Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans. Gaithersburg, MD: Computer Security Division Information Technology Laboratory National Institute of Standards and Technology.