DHS Needs to Better Protect Employees’ Sensitive Info, IG Says

Homeland Security Department employees’ medical records and sensitive personal data is at risk if the agency doesn’t strengthen its privacy policies, according to an agency watchdog report.

The Homeland Security Inspector General found the agency’s Office of Health Affairs fell short of federal requirements for protecting personally identifiable information. The audit revealed the agency didn’t sufficiently train employees on best privacy practices and failed to give OHA’s top privacy official the authority to put in place a departmentwide privacy program.

The report also pointed out a number of security holes in platforms containing sensitive personal data, including one site that operated on a nonsecure portal and another that lacked a strong authentication system.

“Until steps are taken to address these information and system control deficiencies, the sensitive [personally identifiable information] that OHA collects and maintains will remain at risk,” auditors wrote.

The IG made 11 recommendations to bolster the office’s privacy procedures and put it in compliance with federal requirements. OHA leaders agreed with all of the recommendations.

The IG said many of the agency’s privacy shortcomings stemmed from leadership not creating a “culture of privacy” throughout organization. For example, OHA did not have a process to determine whether its employees completed a required annual privacy training, and its privacy office lacked the resources to be effective, according to auditors.

OHA is one of the smallest DHS components with a staff of about 100 people. The office holds medical data on agency employees and is responsible for leading the agency’s response to health emergencies caused by natural disasters, pandemic diseases and chemical and biological attacks.