Project 1: Effect of Legislation on Organizations

Insert NameCSIA 412 6381

Introduction

The purpose of this paper is to provide an analysis of the effects of key takeaways from the Presidential Policy Directive 21, Executive Order, and the May 2011 Cyber Security Legislative Proposal on the Department of Health and Human Services. Specifically, this paper seeks to analyze and evaluate the effects of refining and clarifying functional relationship across the Federal Government, creating a baseline framework to reduce cyber risk to critical infrastructure, privacy and civil liberties, and critical infrastructure and cybersecurity. This paper is designed to provide an overview of the policies that accompany each key takeaway, the reason the takeaway was chosen, as well as the effects it has had on the Department of Health and Human Services since its inception.

Points of Analysis

The following points of analysis have been collected from the Presidential Policy Directive (PPD) 21, Executive Order (EO) 13636, and the May 2011 Cyber Security Legislative Proposal respectively. These particular points were chosen because of the effects each proposed action has not only on the entity that should be implementing it but also the effect it has on the whole nation when implemented improperly, or not at all.

Refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience (The White House, 2013).

This particular point of analysis was chosen because it highlights the need for systems to work together fluidly and without interruption. If there is an interruption in any system for any reason, this particular point highlights how that affects the government as a whole.

Baseline framework to reduce cyber risk to critical infrastructure (Obama, 2013).

Creating and maintaining a set of standards is imperative to every sector of business whether government, private, or public. By maintaining a set standard, organizations and individuals alike know what is required of them and the industry as a whole is advanced as all professionals are operating under the same system of expectations.

Privacy and civil liberties protections (Obama, 2013).

Risk management is imperative for any internet security program to be effective and functional. Without a risk management plan in place, organizations leave themselves open to various attacks that threaten the consumers they serve as well as the veracity of their services.

Critical infrastructure and cybersecurity plans (Cyber Security Legislative Proposal, 2011).

Much like risk management plans, a complete and active cyber security plan is essential to any organization because it means that the entity is protected and actively monitored. Without an active plan in place, the organization and all of it’s pertinent data is likely to be poached by outside parties.

Analysis/Research

Refining and clarifying relationships

The greatest relationship in place for the Department of Human and Health Services (HHS) as it pertains to the directives outlined in the EO is the relationship with the Office of Civil Rights (OCR). The oversight and management responsibilities as it pertains to the Security Act and HHS, provide OCR with the ability to perform regulatory audits, reconcile issues of noncompliance, and/or impose monetary penalties as deemed necessary (Salmon, 2013). According to Salmon’s (2013) report, however, OCR has failed to fully meet the requirements as outlined, thereby leaving various aspects of HHS’ internet security program vulnerable and at risk for greater threats. As HHS is part of the critical infrastructure of the national government, this leaves the national government open to threat as well. The purpose of refining and clarifying relationships was to instill a system of accountability and advisement in order to strengthen the nation’s infrastructure (The White House, 2013), and though oversight from OCR could have been an amazing asset for the department of HHS, because the responsibility has not been carried out, HHS suffers. As a result of OCR’s lack of routine and preventative audit, various vulnerabilities were identified in HHS’ system and HHS consequently failed various evaluation points of its own (Salmon, 2013). The original effect of this policy meant that HHS would no longer have to rely upon its own resources in order to identify potential threats, however the value of the policy is yet to be observed in this instance.

Baseline framework to reduce cyber risk to critical infrastructure

This mandate originally meant a complete overhaul of the HHS security framework as it now worked to not only be compliant with HIPAA guidelines and directives but also those that were not being instituted as the standard by government officials (Department of Health and Human Services, 2014 May). Addressing this particular mandate meant that HHS strengthened pre-existing relationships while simultaneously forming new ones as they worked in collaboration in order to create a resilient and efficient network. In particular, this mandate birthed a chain of monthly joint briefings which address cyber threats, ways to improve network security, as well as identifying and prioritizing federal resources for cybersecurity (Department of Health and Human Services, 2014 May).

Privacy and civil liberties protection

This area is the one in which HHS has received its hardest hit due to its lack of a risk management protocol and program. According to the evaluation completed by the GAO (2006), HHS lacked a significant amount of internet controls and network security. This lack of security, presents a large window of opportunity for outside parties to gain access to the system. In addition to not having clear and defined security and/or risk management protocol in place, HHS also did not have a fully operational internet security program, thankfully PPD-21 changed all of this. According the HHS website (2014 March), the PPD-21 prompted a series of security system strategic goals aimed at improving the system’s network as well as increasing the viability and security of pertinent data. PPD-21’s call for data security while also sharing information, caused HHS to evaluate their current practices and then move to enhance their current practices in order to support improvements in health as well as fight fraudulent activities (Department of Health and Human Services, 2014 March).

Critical infrastructure and cyber security plans

This final area of analysis is one that has affected HHS the most as it works to enhance its security program to meet the needs of its consumers. As outlined by Salmon’s (2013) evaluation and the evaluation completed by the GAO (2006), the HHS was extremely susceptible to attack from outside parties due to its lack of cybersecurity infrastructure. The growth and improvement from 2006 to 2013 can be measured from the comments made by Salmon versus the problems identified by the GAO. Though HHS still has a lot of work to do as it pertains to being compliance, the improvements made in response to the mandates created are noticeable. For example, though the HHS has still not fully implemented its program, there are pieces such as password protection, data encryption, and collaboration with various entities that have been put into place in order to ensure that the organization moves closer to compliance than it has been in the past (Department of Health and Human Services, 2014 March).

Conclusion

The purpose of any government mandate as it pertains to national security and the nation’s infrastructure is to provide a system of networks that function to improve the quality of service and life for the American people. The purposes of the various mandates addressed in this paper are to increase the stability of the government by strengthening collaboration between various entities, creating a standard of practice and protocol for cybersecurity professionals, protecting the privacy and civil liberties of consumers, and creating solid and well-developed cybersecurity plans. Though the Department of Health and Human Services has quite a ways to go before it is in full compliance with the components of each of the mandates, it has come progressed significantly from where it stood eight years ago.

References

Cybersecurity legislative proposal. (2011 May). Retrieved from https://learn.umuc.edu/d2l/le/content/47852/viewContent/2363913/View

Department of Health and Human Services. (2014 March 10). Strategic goal 4: Ensure efficiency, transparency, accountability, and effectiveness of HHS programs. Retrieved from: http://www.hhs.gov/strategic-plan/goal4.html

Department of Health and Human Services (2014 May 12). HHS activities to enhance cybersecurity. Retrieved from: http://www.phe.gov/Preparedness/planning/cip/Pages/eo13636.aspx

GAO. (2006). Department of health and human services needs to fully implement its program (GAO-07-267). Washington, DC. Retrieved from: http://www.gao.gov/new.items/d06267.pdf

Obama, B. (2013, February 19). Executive order 13636 – Improving critical infrastructure cybersecurity. Federal Register. 78(33). Retrieved from: https://learn.umuc.edu/d2l/le/content/47852/viewContent/2363928/View

Salmon, T.M. (2013). The office for civil rights did not met all federal requirements in its oversight and enforcements of the health insurance portability an accountability act security rule. Washington, DC. Retrieved from: https://oig.hhs.gov/oas/reports/region4/41105025.pdf

The White House. (2013, February 12). Briefing Room. Retrieved 01 22, 2015, from The White House: http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil