Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] HHS rebuts GAO's security assessment

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] HHS rebuts GAO's security assessment
Date: Fri, 24 Mar 2006 02:41:08 -0600 (CST) 
http://govhealthit.com/article92719-03-23-06-Web

By Nancy Ferris
Mar. 23, 2006 

The Department of Health and Human Services and the Government
Accountability Office are at odds over a GAO report [1] that describes
HHS' information systems as vulnerable to hackers, identity thieves
and privacy breaches.

The report states that sensitive Medicare records could be lost or 
stolen because of numerous information security flaws. But the 
department's official response, sent by Inspector General Daniel 
Levinson, brags about HHS' progress, denies that the flaws are 
significant and states that GAO based its conclusions on outdated 
reports.

The 46-page GAO report, requested by Sen. Charles Grassley (R-Iowa), 
chairman of the Senate Finance Committee, states that "significant 
weaknesses in information security controls at HHS and at [HHS' 
Centers for Medicare and Medicaid Services] in particular put at risk 
the confidentiality, integrity and availability of their sensitive 
information and information systems."

Grassley issued a statement stating that "instead of firewalls to 
safeguard sensitive data, we have Swiss cheese. These agencies have to 
once and for all implement their data protection programs and put the 
security back into information security."

To prepare the report, GAO investigators reviewed reports issued in 
2004 and 2005 by Levinson?s office and outside auditors. But HHS 
responded that the auditors omitted a 2005 IG report showing the 
department had made substantial progress.

"The frequent use of the word "significant" to describe control 
weaknesses documented throughout this GAO assessment evokes a negative 
connotation that is not reflective of the progress or current state of 
HHS' information security program," according to the HHS response.

"HHS is proud of its information security program and the progress it 
has made over the last fiscal year," the response adds.

The GAO report cites deficiencies in almost every aspect of 
information security at HHS, including firewalls, intrusion-detection 
systems, security policies, training and passwords. Many of its 
criticisms are leveled at the contractors that process Medicare claims 
for CMS. For example, it says five of the contractors had no 
intrusion-detection systems in place.

CMS is reducing the number of Medicare claims processing contractors 
and data centers, partly to improve controls and data security.

But HHS did not escape criticism. In one case, an HHS agency used 
router and firewall logs for troubleshooting instead of for intrusion 
detection, the report states. 

The report called on HHS to implement a departmentwide information 
security program, in accordance with the Federal Information Security 
Management Act. HHS said that implementation is well under way.

[1] http://www.gao.gov/new.items/d06267.pdf



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] HHS rebuts GAO's security assessment, InfoSec News <=
Previous by Date:  [ISN] ITL Bulletin for March 2006, InfoSec News
Next by Date:  [ISN] 40,000 BP workers exposed in Ernst & Young laptop loss, InfoSec News
Previous by Thread:  [ISN] ITL Bulletin for March 2006, InfoSec News
Next by Thread:  [ISN] 40,000 BP workers exposed in Ernst & Young laptop loss, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]