After five relatively unsophisticated cyber breaches at Department of Health and Human Services agencies in the last three years, a House committee believes HHS’ organizational structure is causing information security to be sacrificed for operational efficiencies.
In a new report, the House Energy and Commerce Committee found that easily preventable cybersecurity vulnerabilities discovered at the HHS’ Food and Drug Administration and the Health Resources and Service Administration were the result of the working relationship of chief information security officers and chief information officers, which effectively put overall operations ahead of security. Thus, the report says, security interests received “insufficient or improper attention.”
The discovery of a breach at FDA in October 2013 led the committee to investigate cyber vulnerabilities at other HHS component agencies, and it was then that an alarming trend pegged to the organization structure in the CIO’s office became apparent.
“[I]t is clear that the relationship between the CIO and the CISO in HHS’s headquarters and its operating divisions is an important factor contributing to the prioritization of operational concerns over security concerns,” the report states.
Committee Chairman Fred Upton, R-Mich., and Oversight and Investigations Subcommittee Chairman Tim Murphy, R-Pa., said in a joint statement, “What we found is alarming and unacceptable. At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack.
“With the recent Office of Personnel Management attack serving as another example of how wrong things can go, this report pulls back the curtain and sheds light on serious deficiencies in HHS’s information security practices,” they added.
The committee found it particularly troubling that in most cases, the cyber exploits discovered should have been easy to prevent but the conflicting interests let them slip in unnoticed.
“Though the security incidents detailed throughout this report resulted in relatively minor exploitations, the susceptibility of FDA, NIH, HRSA, SAMHSA, CMS, and IHS networks to minor, well-known, and preventable exploits such as SQL injections, XSS attacks, default credential exploitation, and automated scanning is troubling,” the report says. “The diversity of the agencies, officials, networks, technologies, and exploits involved in these incidents suggest that no individual official or technology is to blame. Rather, there is a fundamental weakness within the information security programs in place at HHS and its operating divisions.”
One report interviewee speaking on background told the committee that failing to protect against the SQL injection breach discovered at the FDA in 2013 was like “leaving the front door open.”
To resolve the organizational issues that the committee believes to be driving the lax security protections, the report authors recommend that CISOs at HHS agencies should no longer report to the CIO. Instead, they should be placed under the general counsel, calling it an acknowledgement of “the fact that information security has evolved into a risk-management activity, traditionally the purview of the legal team.”
This structure would better “facilitate the inclusion of expertise across HHS in information security decisions,” the committee believes.
“While it is impossible to fully protect against cyber attacks, we have a responsibility to approach these issues with necessary foresight and diligence to minimize vulnerabilities and maximize security,” Upton and Murphy said. “We look forward to working with HHS, FDA, NIH, and others to develop solutions to better protect this information. Unfortunately, the bar has been set low and we have nowhere to go but up.”
HHS did not respond to requests for comment on the report.