Health IT

HHS won’t stop using Yammer despite security warning at VA

The U.S. Department of Health and Human Services has no plans to curtail use of enterprise social network Yammer, despite a scathing report detailing serious security risks associated with that platform at the Department of Veterans Affairs.

The U.S. Department of Health and Human Services has no plans to curtail use of enterprise social network Yammer, despite a scathing report detailing serious security risks associated with that platform at the Department of Veterans Affairs.

Last week, the VA’s Office of Inspector General issued a report calling Microsoft-owned Yammer “unapproved,” even though a former VA CIO promoted the network to employees. “Further, we found that it had vulnerable security features, recurring website malfunctions, and users engaged in a misuse of time and resources,” the report read.

Of particular note, the OIG was concerned that protected health information, as defined by HIPAA, could easily slip out.

VA officials reportedly said that they would comply with the report’s recommendations that they fully evaluate departmental use of Yammer and then decide whether this communications network meets all VA requirements. The VA said it would complete this by Oct. 1.

We know that HHS uses Yammer as well. At MedCity News ENGAGE in July, HHS CTO Susannah Fox mentioned that people in the HHS Idea Lab and other departmental employees were communicating among themselves on this platform.

An HHS spokesperson told MedCity News that HHS would not drop Yammer because the implementation there is different than the one at the VA. Notably, according to this spokesperson, HHS since 2012 has paid for the enterprise version of Yammer, which has tighter security and administrative controls than the free version widely used at the VA.

“From the outset, we have taken several steps to help ensure this tool is used properly and continue to evaluate how we use Yammer,” the HHS spokesperson explained in an e-mail. “We have enabled an active HHS-wide identity and access management system to ensure only current HHS employees with proper network credentials can use the site.”

Photo: Flickr user Cole Camplese 

Shares0
Shares0