How HHS, GSA Tackled Data Security During COVID-19

The COVID-19 pandemic uncovered many challenges across government, and leaders are discussing how they approached various modernization of data and associated data-sharing processes for improved security and collaboration.

“The one thing we recognized was that in a state of emergency, I’ve never seen a situation where the data availability was so critical for the government to respond. It was so critical, you could tie it to the number of lives saved,” said Kamran Khaliq, CISO at the Department of Health and Human Services’ Office of the Secretary, during ATARC’s Integrated Cyber Strategies Virtual Summit. “We didn’t care where the data was, we wanted it.”

Khaliq said HHS needed to modernize its access management system to effectively share data with mission partners.

“This was critical. To understand the usefulness and sensitivity of the data, it had to go back to the data stewards. We had to get that integrated into the process, in addition to ensuring that our system was built to comply, integrate and automate [data use agreements],” Khaliq said.

Together with the General Services Administration, HHS developed its Managed Trusted Internet Protocol Services (MTIPS) and review processes at the beginning of the pandemic. As part of GSA’s strategy to modernize the government’s IT and telecommunications infrastructure, GSA pushed the shift from legacy telecommunications contracts to its new enterprise infrastructure solutions (EIS) vehicle.

“When we’re talking about secure modernization, one of the focuses is eliminating a like-for-like transition.”

“We are highly suggesting, during our scope reviews, to at least move into Ethernet instead of traditional [time-division multiplexing] (TDM), [digital signal 3] (DS3s) and traditional circuits,” said GSA Solutions Architect Justin Morgan.”

Also as part of its ongoing modernization in acquisition, GSA’s EIS vehicle has added new language to ensure that solutions are able to evolve over time — a catalyst for ongoing modernization. Managed security services will also increase protection with trusted providers.

“Agencies are trying to modernize, but that means that they have to run parallel environments,” Morgan said. “A lot of times the funding isn’t there, so they’ll start down a path and then they have to pause and rethink it after receiving the bill. Budgeting is a real challenge when it comes to modernizing.”

To improve security, HHS and other federal agencies are working on hybrid zero trust because of the zoning and maturation of the supply chain, Khaliq said. Referencing DHS’ supply chain efforts, he noted that there has to be greater organization to build out supply chain management.

“That is a huge risk and weakness. We saw that with the SolarWinds breach, but there are so many other areas that need to be resolved on that front, and governance is needed,” Khaliq said.

A lack of diversity with tools and technologies increases the impact of risks and attacks, he said. Moving forward, that will be a major area of review for the agency. HHS CIO Perryn Ashmore last month said security is a priority investment that will be improved with approaches like zero trust.