Serious flaws at federal health agencies are “alarming and unacceptable,” according to several lawmakers who found poor security of vital data.
Lawmakers on the House Energy and Commerce Committee released a report Thursday that details a yearlong investigation into the Department of Health and Human Services information security systems. The report comes a few weeks after the Office of Personnel Management was hacked and data on more than 22 million federal workers and their friends or relatives was stolen.
The committee started the investigation after the Food and Drug Administration was hacked in October 2013 and information was stolen from 14,000 users of one of the agency’s databases.
The committee’s report found that five of the department’s operating divisions were breached using unsophisticated means in the last three years. Affected agencies often struggled to provide “accurate, clear and sufficient information on the security incidents during the committee’s investigation.”
Lawmakers questioned whether security personnel have the appropriate authority, and in some cases, expertise to secure the systems.
The report detailed two security breaches at two divisions that resulted from misconfigurations. A separate breach resulted from a missing software patch.
The report issued a series of recommendations.
“While it is impossible to fully protect against cyber attacks, we have a responsibility to approach these issues with necessary foresight and diligence to minimize vulnerabilities and maximize security,” said Reps. Fred Upton, R-Mich., and Tim Murphy, R-Pa. Upton is chairman of the full committee and Murphy its oversight subcommittee.
One such recommendation calls on reorganizing personnel so that the information security chief reports directly to top executives and not just the chief information officer. That reflects a growing trend in the private sector, the report said.
