[ISN] HHS rebuts GAO's security assessment
isn at c4i.org
Fri Mar 24 03:41:08 EST 2006
By Nancy Ferris
Mar. 23, 2006
The Department of Health and Human Services and the Government
Accountability Office are at odds over a GAO report  that describes
HHS' information systems as vulnerable to hackers, identity thieves
and privacy breaches.
The report states that sensitive Medicare records could be lost or
stolen because of numerous information security flaws. But the
department's official response, sent by Inspector General Daniel
Levinson, brags about HHS' progress, denies that the flaws are
significant and states that GAO based its conclusions on outdated
The 46-page GAO report, requested by Sen. Charles Grassley (R-Iowa),
chairman of the Senate Finance Committee, states that "significant
weaknesses in information security controls at HHS and at [HHS'
Centers for Medicare and Medicaid Services] in particular put at risk
the confidentiality, integrity and availability of their sensitive
information and information systems."
Grassley issued a statement stating that "instead of firewalls to
safeguard sensitive data, we have Swiss cheese. These agencies have to
once and for all implement their data protection programs and put the
security back into information security."
To prepare the report, GAO investigators reviewed reports issued in
2004 and 2005 by Levinsons office and outside auditors. But HHS
responded that the auditors omitted a 2005 IG report showing the
department had made substantial progress.
"The frequent use of the word "significant" to describe control
weaknesses documented throughout this GAO assessment evokes a negative
connotation that is not reflective of the progress or current state of
HHS' information security program," according to the HHS response.
"HHS is proud of its information security program and the progress it
has made over the last fiscal year," the response adds.
The GAO report cites deficiencies in almost every aspect of
information security at HHS, including firewalls, intrusion-detection
systems, security policies, training and passwords. Many of its
criticisms are leveled at the contractors that process Medicare claims
for CMS. For example, it says five of the contractors had no
intrusion-detection systems in place.
CMS is reducing the number of Medicare claims processing contractors
and data centers, partly to improve controls and data security.
But HHS did not escape criticism. In one case, an HHS agency used
router and firewall logs for troubleshooting instead of for intrusion
detection, the report states.
The report called on HHS to implement a departmentwide information
security program, in accordance with the Federal Information Security
Management Act. HHS said that implementation is well under way.
More information about the ISN