An Evaluation of the Cybersecurity Policies for the United States Health & Human Services Department: Criteria, Regulations, and Improvements

Authors

  • Derek Mohammed Saint Leo University
  • Ronda Mariani Saint Leo University

DOI:

https://doi.org/10.18533/ijbsr.v4i4.392

Keywords:

cybersecurity policy, Health Department, evaluation, regulation, recommendation

Abstract

This paper examines the criteria necessary for the evaluation of the cybersecurity policies for the United States Health and Human Services Department of the Federal Government. The overall purpose of cybersecurity policies and procedures is supported through compliance with Federal mandated regulation and standards, which serve to protect the organizational services and goals of the United States Health and Human Services Department, and to promote the best possible security practices in the protection of information systems from unauthorized actors and cyber-threats. The criteria of the cybersecurity evaluation is identified and analyzed for quality, strengths, weaknesses, and future applicability. Topics within the criteria include organizational operation, regulations and industrial standards compliance, service delivery to national customers, and the prevention and mitigation of IT system and security failure. This analysis determines the strengths and weaknesses, and makes recommendations for revising the cybersecurity policies within the United States Health and Human Services Department.


 

References

Biddick, M. (2009). InformationWeek Analytics: Government IT Priorities. Retrieved from Information Week: http://www.informationweek.com/government/enterprise-architecture/informationweek-analytics-government-it/218500752

Biddick, M. (2011). Research: Federal Government's IT Priorities. Retrieved from Information Week: http://www.informationweek.com/government/leadership/research-federal-governments-it-prioriti/231700118

Federal Register 74.209. (2009). Executive Order 12988, Civil Justice Reform. Retrieved from Department of Health and Human Services: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf

GAO-10-628. (2010). Critical Infrastructure Protection Key Private and Public Cyber Expectations Need to Be Consistently Addressed. Retrieved from Government Accountability Office: http://www.gao.gov/assets/310/307222.pdf

Grant Thornton. (2013). HIPAA/HITECH Cybersecurity Solutions Advisory Services. Retrieved from Grant Thornton LLP: http://www.gt.com/staticfiles/GTCom/Advisory/IT/HIPAA%20HITECH%20Cybersecurity%20solutions/Grant%20Thornton%20HIPPA-HITECH%20Solutions.pdf

HHS Office of the Chief Information Officer. (2013). Information Security and Privacy Program. Retrieved from U.S. Department of Health and Human Services: http://www.hhs.gov/ocio/securityprivacy/index.html

Intaver Institute. (2013). Qualitative and Quantitative Risk Analysis. Retrieved from Intaver Institute Inc.: http://www.intaver.com/Articles/Article_QuantitativeRiskAnalysis.pdf

Kefallinos, D., Lambrou, M., Maria, A., & Efstathios, D. (2009). An Extended Risk Assessment Model for Secure E-Government Projects. International Journal of Electronic Government Reserach, Apr-Jun(5), 72-92. Retrieved from ProQuest

Meyers, P. (2013). What would you do it you knew you couldn't fail? Creating S.M.A.R.T. Goals. Retrieved from The University of Kansas: http://www.oma.ku.edu/soar/smartgoals.pdf

Milliard, M. (2011). PwC: Health Industry Under-Prepared to Protect Privacy. Retrieved from HealthCare Finance News: http://www.healthcarefinancenews.com/news/pwc-health-industry-under-prepared-protect-privacy

NIST SP 800-122. (2010). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

NIST SP 800-66 Rev.1. (2008). An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

Office of Civil Rights. (2003). Summary of the HIPAA Privacy Rule. Retrieved from Department of Health and Human Services: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

Radack, S. (n.d.). Using Performance Measurements to Evaluate and Strengthen Information System Security. Retrieved from National Institute of Standards and Technology: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=890085

Sims, S. (2012). Qualitative vs. Quantitative Risk Assessment. Retrieved from SANS Institute: http://www.sans.edu/research/leadership-laboratory/article/risk-assessment

Downloads

Published

2014-04-21

Issue

Vol. 4 No. 4 (2014): April

Section

Article

License

Authors who publish with this journal agree to the following terms:

  • Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
  • Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
  • Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).