Close Server: KOPWWW05 | Not logged in

The 2006 General Accounting Office (GAO) Report has focused on the Department of Health and Human Services (HHS) and claims there are "significant" weaknesses in their information systems, making it vulnerable to hackers and identity thieves.

Requested by Sen. Charles Grassley (R-Iowa), the 46-page report found instances of anti-virus software not installed or up to date; employees hired without proper background checks; computer passwords that are not properly updated or controlled; and a lack of physical controls such as security cameras that do not work.

The HHS is responsible for more than 300 programs, including Medicare and Medicaid. It handles more than a billion health care claims every year and currently has 14 operating divisions.

GAO investigators reviewed management and audit reports issued in 2004 and 2005 that outline security practices at 13 HHS divisions. Below are the main areas of concern:

      ·Electronic access controls were inadequate. Antivirus software was not always installed or up to date and system administrative access was not always restricted.

      ·Many user account passwords were set to never expire and the minimum password length was set to zero. Both factors increase the likelihood of someone being able to guess the password.

      ·One Medicare contractor was allowed to transport approximately 25,000 Medicare check payments in a privately owned vehicle in an unlocked container for more than a year.

      ·Many surveillance cameras used for monitoring facilities were not working properly.  

      ·Background checks were not always performed.

      ·In a department wide information security program, areas such as security and awareness training, risk assessments and policies and procedures have not been addressed.

      ·Although HHS requires systems and networks to undergo vulnerability scanning to identify threats, the report found three systems at three different operating divisions that have not undergone testing.

"Instead of firewalls to safeguard sensitive data, we have Swiss cheese," said Grassley.

In an official response to the report, HHS bragged about progress being made and believes GAO came to its conclusions based on outdated reports.

"HHS is proud of its information security programs and the progress it has made over the last fiscal year," the response added.

HHS also pointed out that investigators failed to note a 2005 security program effort that resulted in a 57 percent decrease in reportable deficiencies. The department was also concerned that the use of the word "significant" to describe the reported weaknesses was misleading and creates more panic than needed.

The GAO report made recommendations to ensure that operating divisions develop comprehensive risk assessments that address key elements; conduct tests of the controls of operational systems; provide specialized training to individuals with security responsibilities; and implement intrusion detection systems.

The report made it clear that HHS must implement a department wide information security program in accordance with the Federal Information Security Act. HHS assures that implementation in already under way.

Lauren Himiak is an editorial assistant with ADVANCE.

Articles Archives


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company