Skip to main content
Premium Trial:

Request an Annual Quote

Network Security at HHS

A report issued last week says that the information systems of five divisions of the US Department of Health and Human Services were breached in the last three years using unsophisticated approaches, MedPage Today reports. Those divisions include the Food and Drug Administration, the National Institutes of Health, and the Centers for Medicare and Medicaid Services.

After the Food and Drug Administration's internal network was breached in 2013 — an unauthorized user was able to access the account details of more than 14,000 users of one of FDA's information systems — the House Energy and Commerce Committee began an investigation into its information security. Along the way, the committee noted that other divisions of HHS also had network security issues.

According to the committee report, these issues all had the same root cause: security concerns, it says, are secondary to operational concerns due to the organizational relationship and division of authority between the Chief Information Officer and the Chief Information Security Officer at HHS headquarters and throughout the agency's divisions.

The report suggests that moving the CISO position to the Office of the General or Chief Counsel could fix some of these organizational problems. That way, it says, information security would be removed from information technology and enable expertise from across HHS to weigh in on security. In addition, such a move would highlight that information security has become a risk-management activity, it says.

"While it is impossible to fully protect against cyber attacks, we have a responsibility to approach these issues with necessary foresight and diligence to minimize vulnerabilities and maximize security," say House Energy and Commerce Committee Chairman Fred Upton (R-MI) and Oversight and Investigations Subcommittee Chairman Tim Murphy (R-PA) in a statement. "We look forward to working with HHS, FDA, NIH, and others to develop solutions to better protect this information. Unfortunately, the bar has been set low and we have nowhere to go but up."