WASHINGTON – The federal government, which is seeking ways to protect patient data as the nation moves toward a digital healthcare system, shows persistent weaknesses on the information security front, according to the Government Accountability Office.

Major federal agencies, including the Department of Health and Human Services, have made progress in implementing requirements highlighted in a previous GAO report, but significant weaknesses persist, GAO Director of Information Security Issues Gregory C. Wilshusen testified on May 19 before the House Subcommittee on Government Management, Organization and Procurement.

In its draft report, the GAO is recommending that the director of the Office of Management and Budget (OMB) take several actions, including revising guidance.

In their fiscal year 2008 performance and accountability reports, 20 of 24 major agencies noted that information system controls over their financial systems and information were either a significant deficiency or a material weakness, the report notes. In addition, over the last several years, most agencies have not implemented controls to sufficiently prevent, limit or detect access to computer networks, systems or information.

"Without proper safeguards, federal agencies' computer systems are vulnerable to intrusions by individuals and groups with malicious intentions who can obtain sensitive information, commit fraud, disrupt operations or launch attacks against other computer systems and networks," Wilshusen told the panel. "The risks to federal systems are well-founded for a number of reasons, including the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools and steady advances in the sophistication and effectiveness of attack technology."

Over the past few years, the 24 agencies have reported numerous security incidents in which sensitive information has been lost or stolen, including personally identifiable information, exposing millions of Americans to the loss of privacy, identity theft and other financial crimes, Wilshusen said.

He said agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions and privacy breaches, underscoring the need for improved security practices.

When incidents occur, agencies notify the federal information security incident center, the US Computer Emergency Readiness Team (US-CERT).

The number of incidents reported by federal agencies to US-CERT has increased dramatically over the past three years, from 5,503 in fiscal year 2006 to 16,843 in fiscal year 2008 (about a 206 percent increase).