The U.S. Department of Health and Human Services experienced five data breaches in the last three years, according to a new report released by the U.S. House of Representatives Committee on Energy and Commerce.
While the cyber events did not result in any “substantial” harm, the Committee said they emphasized the vulnerability of the HHS divisions, including the Food and Drug Administration, which experienced a breach in October 2013 during which an unauthorized user accessed the information of 14,000 users of the FDA system.
“Further, the committee became aware of non-public HHS Office of Inspector General (OIG) reports on HHS information security over the last seven years, which reveal pervasive and persistent deficiencies across HHS and its operating divisions’ information security programs,” noted the authors of the report. “The OIG reports, in combination with the operating divisions’ breaches and the inability of agency officials to provide accurate and sufficient information about them, suggest weaknesses exist within the information security practices of both HHS and its operating divisions.”
The report offers a “root cause” for the breaches – in the case of the FDA, the Office of Civil Rights (OCR), and the Centers for Medicare and Medicaid Services (CMS), authorities placed too much focus on operational concerns over security issues. The investigation also found that the hierarchy of chief information officer over the chief information security officer prevented CISOs from requiring security audits.
“FDA’s lack of permanent IT leadership – in both the CIO and CISO roles – for an extended period raises concerns that the agency is not addressing its key personnel needs for IT with sufficient attention and priority,” the authors noted.
In addition, simple mistakes caused problems. One breach occurred because of failure to implement “critical” software patches. Another mistake involved an information security official mislabeling a list of hacker aliases as security vulnerabilities. These prompted lawmakers to suggest that IT officers throughout the HHS do not have full access or awareness of their own networks or the security incidents occurring.
“The unsophisticated nature of the attacks used against [the agencies], as well as the susceptibility of their networks to them, calls into question the adequacy of information security at HHS and its operating divisions. The committee’s investigation has led committee staff to conclude that a significant weakness exists within the information security programs of these operating divisions and of HHS itself,” concluded the committee.
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
