HHS rebuts GAO's security assessment

"Information Security: Department of Health and Human Services Needs to Fully Implement its Program"

The Department of Health and Human Services and the Government Accountability Office are at odds over a GAO report that describes HHS’ information systems as vulnerable to hackers, identity thieves and privacy breaches.

The report states that sensitive Medicare records could be lost or stolen because of numerous information security flaws. But the department’s official response, sent by Inspector General Daniel Levinson, brags about HHS’ progress, denies that the flaws are significant and states that GAO based its conclusions on outdated reports.

The 46-page GAO report, requested by Sen. Charles Grassley (R-Iowa), chairman of the Senate Finance Committee, states that “significant weaknesses in information security controls at HHS and at [HHS’ Centers for Medicare and Medicaid Services] in particular put at risk the confidentiality, integrity and availability of their sensitive information and information systems.”

Grassley issued a statement stating that “instead of firewalls to safeguard sensitive data, we have Swiss cheese. These agencies have to once and for all implement their data protection programs and put the security back into information security.”

To prepare the report, GAO investigators reviewed reports issued in 2004 and 2005 by Levinson’s office and outside auditors. But HHS responded that the auditors omitted a 2005 IG report showing the department had made substantial progress.

“The frequent use of the word ‘significant’ to describe control weaknesses documented throughout this GAO assessment evokes a negative connotation that is not reflective of the progress or current state of HHS’ information security program,” according to the HHS response.

“HHS is proud of its information security program and the progress it has made over the last fiscal year,” the response adds.

The GAO report cites deficiencies in almost every aspect of information security at HHS, including firewalls, intrusion-detection systems, security policies, training and passwords. Many of its criticisms are leveled at the contractors that process Medicare claims for CMS. For example, it says five of the contractors had no intrusion-detection systems in place.

CMS is reducing the number of Medicare claims processing contractors and data centers, partly to improve controls and data security.

But HHS did not escape criticism. In one case, an HHS agency used router and firewall logs for troubleshooting instead of for intrusion detection, the report states.

The report called on HHS to implement a departmentwide information security program, in accordance with the Federal Information Security Management Act. HHS said that implementation is well under way.