FY 2022 Annual Performance Plan and Report - Goal 5 Objective 4

Fiscal Year 2022
Released June, 2021

Topics on this page: Goal 5. Objective 4 | Objective 5.4 Table of Related Performance Measures

Goal 5. Objective 4: Protect the safety and integrity of our human, physical, and digital assets

Providing security for HHS involves more than preventing breaches or cybersecurity attacks.  The Department's OpDivs and StaffDivs participate in efforts to preserve physical security; personnel security and suitability; security awareness; information security (including the safeguarding of sensitive and classified material); and security and threat assessments.  In addition, the Department has established a network of scientific, public health, and security professionals internally, as well as points of contact in other agencies (e.g., intelligence community and the Information Sharing Environment Council).  The Department has specialized staff to provide policy direction to facilitate the identification of potential vulnerabilities or threats to security, conduct analyses of potential or identified risks to security and safety, and work with agencies to develop methods to address them.

In the previous administration, the Office of the Secretary led this objective.  All divisions contribute to the achievement of this objective.  HHS has determined that performance toward this objective is progressing.  The narrative below provides a brief summary of progress made and achievements or challenges, as well as plans to improve or maintain performance.

Objective 5.4 Table of Related Performance Measures

Decrease the Percentage of Susceptibility among personnel to phishing (Lead Agency - ASA; Measure ID - 3.5)

Measure FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020 FY 2021 FY 2022
Target N/A N/A N/A Baseline 6.8% 6.5% 6.2% 6.0%
Result N/A N/A N/A 7% 4.5% 4.7% 12/31/21 12/31/22
Status N/A N/A N/A Actual Target Met Target Met Pending Pending

Phishing is a fraudulent attempt to obtain sensitive information (e.g.,  user names and passwords) to access a system or network.  Statistics suggest phishing attacks remain one of the main threat vectors targeting the health care industry.  Data from Google, CheckPoint, Gartner, and others indicate that both phishing attacks in general and those on registered COVID-19 related domains skyrocketed.  HHS trains and educates its personnel to reduce the likelihood of staff mistaking phishing email attempts for legitimate communications through a combination or training, education, and tools.  The response rates to phishing training drills remain well below the industry average.  HHS will continue this program in FY 2021 and strive to improve user reporting and resistance rates.

Maintain the number of days since last major incident of personally identifiable information (PII) breach (Lead Agency - ASA; Measure ID - 3.6)50

Measure FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020 FY 2021 FY 2022
Target N/A N/A N/A Baseline 365 366 365 365
Result N/A N/A N/A 365 365 366 9/20/21 9/20/21
Status N/A N/A N/A Actual Target Met Target Met Pending Pending

If an employee misuses, loses, or otherwise compromises PII, the action may result in steep financial costs and damage to the Department's reputation.  This measure serves as an enterprise-wide countdown since the last breach, based on the OMB definition of a major incident in the Department.  HHS has not reported a major breach in more than 1096 days.  HHS works closely with OpDiv privacy programs to continue to protect PII that is collected, used, maintained, shared, and disposed of by HHS information systems.  HHS will continue to work with privacy programs across the Department to ensure staff training in protecting and safeguarding PII.

50 HHS has updated the FY 2020 target for this measure to reflect that this is a leap year.

<< Return to Topics in this ReportTop of pageEvidence Building Efforts >>

Content created by Assistant Secretary for Financial Resources (ASFR)
Content last reviewed