An Evaluation of the Cybersecurity Policies for the United States Health & Human Services Department: Criteria, Regulations, and Improvements
Keywords:cybersecurity policy, Health Department, evaluation, regulation, recommendation
AbstractThis paper examines the criteria necessary for the evaluation of the cybersecurity policies for the United States Health and Human Services Department of the Federal Government. The overall purpose of cybersecurity policies and procedures is supported through compliance with Federal mandated regulation and standards, which serve to protect the organizational services and goals of the United States Health and Human Services Department, and to promote the best possible security practices in the protection of information systems from unauthorized actors and cyber-threats. The criteria of the cybersecurity evaluation is identified and analyzed for quality, strengths, weaknesses, and future applicability. Topics within the criteria include organizational operation, regulations and industrial standards compliance, service delivery to national customers, and the prevention and mitigation of IT system and security failure. This analysis determines the strengths and weaknesses, and makes recommendations for revising the cybersecurity policies within the United States Health and Human Services Department.
Biddick, M. (2009). InformationWeek Analytics: Government IT Priorities. Retrieved from Information Week: http://www.informationweek.com/government/enterprise-architecture/informationweek-analytics-government-it/218500752
Biddick, M. (2011). Research: Federal Government's IT Priorities. Retrieved from Information Week: http://www.informationweek.com/government/leadership/research-federal-governments-it-prioriti/231700118
Federal Register 74.209. (2009). Executive Order 12988, Civil Justice Reform. Retrieved from Department of Health and Human Services: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf
GAO-10-628. (2010). Critical Infrastructure Protection Key Private and Public Cyber Expectations Need to Be Consistently Addressed. Retrieved from Government Accountability Office: http://www.gao.gov/assets/310/307222.pdf
Grant Thornton. (2013). HIPAA/HITECH Cybersecurity Solutions Advisory Services. Retrieved from Grant Thornton LLP: http://www.gt.com/staticfiles/GTCom/Advisory/IT/HIPAA%20HITECH%20Cybersecurity%20solutions/Grant%20Thornton%20HIPPA-HITECH%20Solutions.pdf
HHS Office of the Chief Information Officer. (2013). Information Security and Privacy Program. Retrieved from U.S. Department of Health and Human Services: http://www.hhs.gov/ocio/securityprivacy/index.html
Intaver Institute. (2013). Qualitative and Quantitative Risk Analysis. Retrieved from Intaver Institute Inc.: http://www.intaver.com/Articles/Article_QuantitativeRiskAnalysis.pdf
Kefallinos, D., Lambrou, M., Maria, A., & Efstathios, D. (2009). An Extended Risk Assessment Model for Secure E-Government Projects. International Journal of Electronic Government Reserach, Apr-Jun(5), 72-92. Retrieved from ProQuest
Meyers, P. (2013). What would you do it you knew you couldn't fail? Creating S.M.A.R.T. Goals. Retrieved from The University of Kansas: http://www.oma.ku.edu/soar/smartgoals.pdf
Milliard, M. (2011). PwC: Health Industry Under-Prepared to Protect Privacy. Retrieved from HealthCare Finance News: http://www.healthcarefinancenews.com/news/pwc-health-industry-under-prepared-protect-privacy
NIST SP 800-122. (2010). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
NIST SP 800-66 Rev.1. (2008). An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
Office of Civil Rights. (2003). Summary of the HIPAA Privacy Rule. Retrieved from Department of Health and Human Services: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
Radack, S. (n.d.). Using Performance Measurements to Evaluate and Strengthen Information System Security. Retrieved from National Institute of Standards and Technology: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=890085
Sims, S. (2012). Qualitative vs. Quantitative Risk Assessment. Retrieved from SANS Institute: http://www.sans.edu/research/leadership-laboratory/article/risk-assessment
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).