Department of Health and Human Services IT Security Program - Research Paper Example

Department of Health and Human Services IT Security Program Since the administration of President Barack Obama took charge of the government in 2008,one of the objectives that have been aggressively pursued was health care. It was inevitable, hence, for the US Department of Health and Human Services to have a prominent role and introduce a radical shift in policy focus. This development, which many see as wide ranging reform, is fundamentally articulated in the agency’s Strategic Plan and Priorities 2010-2015. This plan has at least five strategic priorities: health care; knowledge and innovation; health, safety and well being; transparency and accountability; and, development of the workforce and infrastructure. In order to achieve the goals in each of these areas, the agency relies on several mechanisms such as performance measures. Another mechanism, which this paper will explore, is the area of security. The overarching principle that guides the organizational ambitions is to strengthen health care delivery and access by encouraging innovation as well as efficiency and transparency of the programs and processes. The agency recognized that these could not be achieved if the initiatives, activities and information involved are not protected or secured. In order to address this, a security strategy has been developed by the Department of Health and Human Services Department of Health and Human Services. This strategy is articulated in several security policies, which are outlined below: HHS IRM Policy for IT Security for Remote Access This policy outlines the framework by which the department ensures that its IT resources are protected when accessed remotely. The resources mentioned include all levels of sensitivity all existing automated information and systems. The policy includes mandatory rules for all organizational units, employees and other stakeholders. The roles and responsibilities are also outlined for the managers, security and IT officers. Policy for the Prevention, Detection, Removal and Reporting of Malicious Malware Building on the fact that pro-active security measures are implemented and maintained effectively, this policy outlines the rules by which malwares or malicious computer applications and data are prevented from entering the system, detected and rooted out immediately. This policy is particularly directed at the employees who are tasked to gather, process and transmit HHS information and infrastructure resources such as the Chief Information Officer (CIO), the Deputy Assistant Secretary for Information Resources management and Senior Information Systems Security Officer. Policy for Responding to Breaches of Personally Identifiable Information (PII) Through this policy, the Department of Health and Human Services, effectively, created the PII Breach Response Team. Consequently, the policy outlined the responsibilities, tasks and mandate of the team such as the identification, management and response to suspected or confirmed security breaches. This policy also created the HHS Information Security and Privacy Program, which was developed to support the Breach Response Team. Policy for Privacy Impact Assessments (PIA) PIA is a critical policy introduced by the Department of Health and Human Services because it is concerned about performance. The policy articulated the manner by which evaluations for all of the organization’s information technology systems should be conducted. This aspect in the security system of the HHS is important because it established the framework by which security performances are evaluated according to organizational security objectives, governmental requirements. HHS-OCIO Policy for Machine-Readable Privacy Policies This is one of the several major policies that came from the office of the Chief Information Officer. It outlines the implementation for machine-readable policy for the agency’s websites. A core component of this policy is the satisfaction of best practices standards in terms of satisfying web privacy security, legal and regulatory requirements as well as the collection and protection of data. HHS-OCIO Policy for Information Systems Security and Privacy This is a detailed policy that identifies stakeholders and their responsibilities in the overall organizational initiative to the data gathered and stored by the agency within the parameters of the Federal Information Security Management Act of 2002. This is a new iteration of this policy that improved on the manner by which the agency develop and maintain a security framework according to the changes in technological and statutory standards. Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response The latest policy introduced by the Chief Information Officer. It details the process by which IT security incidents are reported and created the HHS Computer Security Incident Response Center, a unit specifically tasked to maintaining Department-wide IT security situational awareness and the determination of IT security risk posture. The Implementation of the Office Management and Budget (OMB) M-10-22 and M-10-23 This is a policy response to the memoranda issued by the Office of Management and Budget, the M-10-22 (Guidance for Online Use of Web Measurement and Customization Technologies) and M-10-23 (Guidance for Agency Use of Third Party Websites and Application). The policy is directed towards all supervisory positions under the CIO and outlined procedures of adherence within the context of the organizational framework. The above policies constitute the overall security policy of the Department of Health and Human Services. There is no overarching framework that includes all of these into a coherent and systematic organizational standard or rules. The program is a loose mechanism consisted of a series of policy making that are independent of each other. It is up to the officers and employees subject to each of the policies to make sense of them in the context of the wider organizational security policy and organizational objectives. While the office of the CIO is prompt in its policy responses to existing and emergent IT security risks both on the environmental and statutory levels, there is need to establish a general policy integrating each of the above policies to provide coherence and efficiency. It is imperative that IT security policymaking are contextualized within one framework in order to: 1) avoid overlapping policies, responsibilities, tasks and strategies; 2) streamline processes and, 3) provide policy linkages. References DHSS. (2001). HHS IRM Policy for IT Security for Remote Access. DHSS. DHSS. (2010). U.S. Department of Health and Human Services Strategic Plan 2010-2015. DHSS. DHSS Office of Information Resource Management. (2001). Policy for the Prevention, Detection, Removal and Reporting of Malicious Malware. DHHS. DHSS-OCIO. (2008). Policy for Responding to Breaches of Personally Identifiable Information (PII). DHHS. DHSS-OCIO. (2009). Policy for Privacy Impact Assessments (PIA). DHSS. DHSS-OCIO. (2010). HHS-OCIO Policy for Machine-Readable Privacy Policies. DHSS. DHSS-OCIO. (2010). Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response. DHSS. DHSS-OCIO. (2010). The Implementation of the Office Management and Budget (OMB) M-10-22 and M-10-23. DHHS. DHSS-OCIO. (2011). HHS-OCIO Policy for Information Systems Security and Privacy. DHSS. Read More