HHS investigates blockchain for securing log files
Connecting state and local government leaders
The HHS Division of Acquisition is working on a pilot to secure system logs required by the Continuous Diagnostics and Mitigation program.
It was a groundbreaking moment when the Department of Health and Human Services received an authority to operate for HHS Accelerate, which uses distributed-ledger technology, machine learning and artificial intelligence to streamline procurement. Now, the HHS Division of Acquisition is looking to test new blockchain applications to help it meet requirements of the Department of Homeland Security's Continuous Diagnostics and Mitigation program.
One potential application deals with securing the log files that HHS automatically collects on activity across its systems. CDM requires federal agencies to review all their audit/log files to check for suspicious activity.
Oki Mek, chief product officer in the HHS Division of Acquisition, thinks blockchain can be used to prevent the tampering with the log files.
“If the logs are fed into a blockchain instead of traditional log folders … then it is impossible for one person to delete or manipulate the logs because they are immutable and have provenance,” Mek told GCN. “It meets the audit log requirements of the CDM program because the log files would be a true record of what happened in the system without the risk of manipulation.”
“The blockchain will capture only simple audit log records in the digital ledger. The rest of the log information will be stored off-chain in an encrypted database,” Mek said. “If you have one story of the truth on what is on your network, who is on your network, what is happening on your network and how is your data being protect[ed], that solves a lot of your security risks.”
After the ATO was issued to HHS Accelerate in December 2018, it became easier for Mek’s team to experiment with the audit logs because the ATO requires HHS Accelerate document that it meets all of the necessary security controls.
“It is possible that the ATO process could be automated because you are reviewing things through an Excel spreadsheet or a Word document; the ATO process is heavily paper-based covering hundreds of security controls, which is currently done manually,” Mek said. “RPA could help with the mundane processes, and vulnerability testing can be completed automatically and continuously.”
Jose Arrieta, associate deputy assistant security for the HHS Division of Acquisition, told GCN that HHS Accelerate is “very close” to fully testing with live data. By June, Arrieta anticipates that the full acquisition lifecycle capability will be mapped.
“Our goal is to do … user testing on products and acquisition and contracting writing capabilities by December of next year,” said Arrieta. “While we are doing that testing, we would do the indexing on work" on data required to make the services run smoothly.
As HHS Accelerate continues to grow, other HHS units are taking note. Chris Chilbert, CIO of the HHS Office of Inspector General, has expressed an interest in working with the HHS Accelerate team to improve OIG’s procurement.
HHS Accelerate takes a “very common-sense approach,” Chilbert said. “All agencies have some need for acquisition, and we are all buying different things. To the extent that we can leverage the buying power across organizations, I think that it is going to be very valuable.”
While the HHS OIG has its own acquisition team, it is a small group, and Chilbert said it would be useful to have more accurate information from more sources so it can to move quickly to get the best deals available.
“When you start looking at in the context of IT modernization and Cloud Smart, the need for data that we use continues to grow,” Chilbert said. “The ability to ensure data immutability, security in the cloud and manage identities -- these are all use cases that I would expect to see in 2019 and 2020.”
NEXT STORY: Unlocking the black box of AI reasoning