The Department of Health and Human Services (HHS) has not implemented a department-wide information security program, and as a result, the confidentiality, integrity and availability of its many sensitive records are at risk, according to a recent report by the Government Accountability Office (GAO).HHS is the United States’ largest health insurer, with programs that affect all Americans, be it through direct services or information that helps people choose the appropriate levels of medical care, medicines and other health-related needs. The Centers for Medicare & Medicaid Services (CMS), a division of HHS, provides Medicare and Medicaid services to one in four Americans, according to GAO. “HHS computer networks and systems have numerous electronic access control vulnerabilities related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security related events,” the report reads. “In addition, weaknesses exist in other types of controls designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to applications software.” SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe The report attributes these vulnerabilities to the fact that HHS has not fully implemented a department-wide infosecurity program at all of its various divisions; specifically, the department has not fully implemented elements related to the following eight areas: • risk assessments• policies and procedures • security plans• security awareness and training• tests and reviews of control effectiveness• remedial actions• incident handling• continuity of operations plans “Until HHS fully implements a comprehensive information security program, security controls may remain inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and controls may be inconsistently applied,” the report reads.GAO recommends that department’s secretary instruct its chief information officer to take action toward ensuring that all these points are addressed at all of HHS’ operating divisions.In a response to a draft of the report, HHS officials acknowledged that the department has some improvements to make, but noted that GAO didn’t give any credit for the progress it had already made.Check out the full GAO report and the highlights page. Check out our CIO News Alerts and Tech Informer pages for more updated news coverage. Related content feature Gen AI success starts with an effective pilot strategy To harness the promise of generative AI, IT leaders must develop processes for identifying use cases, educate employees, and get the tech (safely) into their hands. By Bob Violino Sep 27, 2023 10 mins Generative AI Innovation Emerging Technology feature A fluency in business and tech yields success at NATO Manfred Boudreaux-Dehmer speaks with Lee Rennick, host of CIO Leadership Live, Canada, about innovation in technology, leadership across a vast cultural landscape, and what it means to hold the inaugural CIO role at NATO. By CIO staff Sep 27, 2023 6 mins CIO IT Skills Innovation feature The demand for new skills: How can CIOs optimize their team? By Andrea Benito Sep 27, 2023 3 mins opinion The CIO event of the year: What to expect at CIO100 ASEAN Awards By Shirin Robert Sep 26, 2023 3 mins IDG Events IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe