Privacy safeguards lacking in US Health and Human Services IT systems
The US Department of Health and Human Services (HHS) and its component agencies that support pandemic public health preparedness and response did not implement all the key privacy safeguards for nine IT systems that the Government Accountability Office (GAO) randomly selected for a performance audit between February 2023 to September 2024.
“As a result,” GAO said in its stinging 77-page rebuke of the department, “information collected and stored by some of these systems may be at higher risk for unauthorized disclosure.”
“HHS and its component agencies have not fully addressed key federal privacy requirements, such as developing Privacy Impact Assessments (PIA) and privacy plans for all of their pandemic systems that include personally identifiable information (PII),” Congress; investigative arm said.
And “until HHS’s component agencies ensure that privacy risks are assessed and privacy impact assessments are developed for all of their information systems containing PII, including those that support pandemic public health preparedness and response, HHS will have less assurance that it fully understands the risks and the privacy protections necessary for these system,” GAO said.
GAO performed the audit at the request of Sens Bernard Sanders and Bill Cassidy, chair and Ranking Member of the Senate Committee on Health, Education, Labor and Pensions, and Reps. Cathy McMorris Rodgers and Frank Pallone, Jr., chair and Ranking Member of the Senate Committee on Energy and Commerce.
The HHS component agencies GAO audited are the Administration for Strategic Preparedness and Response, Centers for Disease Control and Prevention, Food and Drug Administration, Health Resources and Services Administration, Indian Health Service, and the National Institutes of Health.
GAO found that 68 of the 99 (69 percent) systems it identified as collecting and storing personally identifiable information, the agencies developed privacy impact assessments for 53 of the 68, “leaving 15 (22 percent) systems without an assessment of privacy risks.”
Seven of the 15 (47 percent) systems that had no PIAs were CDC systems, GAO found, adding that the “CDC stated that PIAs were not required for these systems for various reasons. For example, CDC officials stated that three of the seven systems were covered by other systems’ PIAs. However, these systems were not mentioned in other PIAs as being included in the assessment. Nonetheless, in May 2024, CDC officials stated that they had initiated but not yet finalized a separate PIA for one of the three systems – the Surveillance of Emerging Threats to Pregnant People and Infants Network.”
“For three additional systems, CDC stated that a PIA was not required because they had either a cooperative agreement or data use agreement for the information collected and stored by the system” even though, GAO said, “CDC identified these systems as collecting and storing PII. Therefore, a PIA should have been performed for these systems.”
For the last CDC system that lacked a PIA, GAO said agency “officials stated that the system supports various programs across CDC and the programs are to manage the PIAs for the data they store in the system. However, CDC did not provide evidence that the programs maintained a PIA for this system.”
GAO stressed that the PIAs “are essential to identifying and mitigating the privacy risks of systems containing PII,” and that “until HHS ensures that PIAs are developed for all of its systems containing PII, it will have less assurance that privacy risks are assessed to prevent unauthorized disclosure.”
A privacy impact assessment analyzes information systems containing personally identifiable information to ensure that the PII is handled according to applicable privacy requirements. A PIA also determines the privacy risks associated with an information system and evaluates ways to mitigate privacy risks.
“The protection of personal privacy has become a more significant issue in recent years with the advent of new technologies and the proliferation of personal information,” GAO said in its audit report to the lawmakers, noting that while “the increasingly sophisticated ways in which the federal government obtains and uses PII have the potential to assist in performing critical functions, such as helping to detect and prevent cyber threats and enhancing online interactions with the public,” these same “technological developments can also pose challenges in ensuring the protection of privacy.”
GAO had reported in September 2022 that HHS “did not fully define or document processes for privacy workforce management,” and at that time had recommended that the department fully define and document a process for ensuring that the senior agency official for privacy (SAOP) or other designated privacy official is involved in addressing the hiring, training, and professional development needs of the agency with respect to privacy.”
GAO reiterated that in May 2023, it designated this recommendation as a priority recommendation, which HHS concurred with, but that “as of June 2024, had not yet implemented it.”
GAO made 14 recommendations to HHS, including establishing an IT systems inventory, addressing duplicative data, and fully implementing privacy safeguards. GAO said HHS “generally agreed with the recommendations,” but stated “that two may not be feasible. GAO continues to believe they are valid.”
Among the GAO’s recommendations are the Secretary of HHS should:
- Ensure that the Administration for Strategic Preparedness and Response (ASPR) has an updated privacy impact assessment for the Cooperative Agreement Accountability and Management Platform;
- Ensure that the ASPR revises the system privacy plan for ASPR Ready to include the privacy controls in place or planned for meeting the privacy requirements;
- Ensure that ASPR develops assessments of privacy controls for ASPR Ready and the Electronic Medical Records System;
- Ensure that the director of the Centers for Disease Control and Prevention conducts and develops privacy impact assessments for all pandemic public health preparedness and response systems that include personally identifiable information;
- Ensure that the CDC director ensures that the senior official for privacy reviews and approves the system security categorizations for the COVID-19 Clearinghouse and HHS Protect;
- Ensure that the Food and Drug Administration (FDA) commissioner conducts and develops privacy impact assessments for all pandemic public health preparedness and response systems that include personally identifiable information;
- Ensure that the FDA commissioner ensures that the senior official for privacy reviews and approves the system security categorization for the Biologics Information Tracking System; and
- Ensure that the FDA commissioner develops an assessment of privacy controls for the Biologics Information Tracking System.
Article Topics
cybersecurity | data privacy | data protection | GAO (Government Accountability Office) | U.S. Government
Comments