The Department of Health and Human Services (HHS) recently released its 2017 – 2020 Information Technology (IT) Strategic Plan highlighting the key priorities of their $11 billion in annual IT spending. These goals were developed to support the key objectives of HHS to improve health care and scientific discovery. The five strategic goals identified are:
- IT Workforce
- Cybersecurity and Privacy
- Shared Services
- Interoperability and Usability
- IT Management
While the second key priority is cybersecurity, that concept is core to the overall plan. Even the IT Workforce goal discusses the importance of cybersecurity competencies for workforce development. HHS is expanding on the approach from a NIST effort, called The National Initiative for Cybersecurity Education (NICE) to identify and define workforce requirements cybersecurity career paths and education.
Three key elements are presented within the cybersecurity goal to discuss how HHS will protect IT assets and the reliability of the data within them. The first element is very high-level and encourages IT leadership to improve the security and privacy posture of data and information systems. This would be accomplished by evaluating the potential impact associated with vulnerabilities to the IT asset inventory. It is true that many penetrations are caused by internal users inadvertently clicking on a phishing link or by opening an email attachment. Cybersecurity awareness is the one, best tool.
The second element is more concrete, advocating effectively preventing, monitoring and rapidly responding to emerging threats and vulnerabilities. In this are we can envision new tools that may drive investments in:
- Cyber threat-hunting
- Privileged identity management
- Patch management
- Key management tools for the cloud
- Data encryption
- Malware detection
- Security Information and Event Management (SIEM)
- Baseline activity monitoring to detect insider threats
Recognizing limited budgets, the third element of the cybersecurity plan proposes a risk-based cybersecurity and privacy protection approach. Evaluating threats and vulnerabilities to direct investments makes sense, however, the reality of the interconnected nature of the HHS network and cloud computing environments create more opportunities for common enterprise tools deployed across all mission applications.
There was nothing earth shattering, or new, in the HHS IT Strategic Plan, but it does reaffirm the commitment to key IT goals and continues the emphasis on cybersecurity that we have seen in prior years and IT investments.