The US government’s Department of Health and Human Services (DHHS) has been warned of
“significant” weaknesses in its information security, leaving it vulnerable to hackers, according
to a report by the US Government Accountability Office (GAO).
The report accused the DHHS and Centres for Medicare and Medicaid Services of having “significant weaknesses” in their electronic access controls and other information system controls designed to protect the confidentiality, integrity and availability of information and information systems.
It added that a key reason for the weaknesses was that the DHHS had not yet fully implemented a department-wide information security program, leaving medical and financial information systems vulnerable to unauthorised access, use, modification and destruction.
In particular, the GAO identified weaknesses in the way DHHS divisions and contractors restricted network access, managed anti-virus software, configured network devices and protected information crossing department networks.
The report caused a row with officials, who said the GAO had not taken into consideration an additional seven months’ work the DHHS had done to improve its information security.
The DHHS is probably not the first government department to be criticised for its information security, nor the last. In many cases, just knowing what devices are located on the network is a challenge, both in the public and private sectors. If nothing else, the GAO report will be a wake-up call to all government departments, on both sides of the pond.