Indian Health Service: Security IssuesPenetration Testing Identifies Risks that Need Mitigation
Penetration testing of the Indian Health Service's systems by a federal watchdog agency revealed vulnerabilities that could pave the way for exposing passwords and other information, according to a new report.
One security expert says that these vulnerabilities at the 28-hospital IHS, if left unmitigated, could create a long list of risks as well as potential threats to other Department of Health and Human Services' systems. IHS is a unit of HHS.
The HHS Office of Inspector General's newly released report on the penetration tests does not include specific details of the IHS' network vulnerabilities "due to the sensitive nature of the information."
The report notes, however, that through penetration testing over four days last June, OIG was able to obtain unauthorized access to an IHS web server, which enabled access to an internal network and exposed account and password data on the system, including user names and passwords for IHS databases. OIG flagged this finding as "high risk."
OIG said it also was "able to take control of an IHS computer, which allowed access to the computer's resources, including records in the file system, presenting 'medium risk'."
In a statement provided to Information Security Media Group, D. Patterson, OIG IT audit manager, says, "As was indicated in the report, the vulnerabilities did present risk that unauthorized users could obtain access to the HHS network; however, our testing did not go beyond the IHS network." The statement also noted: "During the course of our audit, IHS security staff immediately responded to remediate the high risk vulnerable web server on the network."
The penetration testing at IHS was part of an OIG audit, the first in a series of audits of HHS and its 11 operating divisions.
"Protecting beneficiaries' and providers' personally identifiable information and personal health information is critical because fraud perpetrators often use stolen beneficiary or physician identities, or both, to submit false claims to the programs," the report says. A penetration test at another HHS operating division was completed in 2013, but the results have not been released, Patterson says.
IHS did not reply to a request for comment.
Many Potential Risks
Security expert Mac McMillan, CEO of the consultancy CynergisTek, says the problems found by OIG potentially pose many risks, including: corruption of data; loss or theft of information; downtime of systems or applications; misuse of assets; infection of systems; identity theft or fraud; and corporate defacement. "Most important to healthcare, though, would be loss of availability of the system or corruption/loss of data," he says.
Additionally, the vulnerabilities could pose potential risk to other HHS systems, he says. "It's certainly possible, but not in all situations."
The report notes: "IHS needs to address cyber vulnerabilities on its computer network. Computer hackers are increasingly attempting to compromise government systems, publish sensitive data, and use stolen data to commit fraud."
The report says threats to federal agencies' Web applications are continually changing because of advances made by hackers, the release of new technology, and the deployment of increasingly complex systems. "Web sites that are not secured properly create vulnerabilities that could be exploited by an unauthorized user to compromise the confidentiality of sensitive information," it notes.
Cyber-attacks through targeted e-mail messages account for the vast majority of attacks on federal and private-sector networks, the report adds. "These attacks could significantly impact the operations of federal agencies and expose sensitive data."
OIG says it made six detailed recommendations to IHS to correct the issues found in the cyber testing. "We recommended that IHS fix the vulnerability on the IHS web server, implement more effective procedures to protect its computer systems from cyber-attacks, and periodically measure adherence to IHS security policies and procedures."
The report also notes that IHS concurred with all of OIG's recommendations and described the actions they will take to implement them.
While the report did not reveal the specific recommendations that OIG made to IHS, McMillan says, "Whenever we start talking about improving the technical integrity of our network/systems environment, the first step is to address the critical processes that enable a secure enterprise ... processes like configuration management, change control, hardening practices, patch management and testing. Improve these and you improve testing results and reduce opportunities for exploitation dramatically."
Many other healthcare organizations have vulnerabilities similar to those at IHS, McMillan contends.
"Right now, they are all too common, but that is beginning to change," he says. "More and more healthcare entities are beginning to test, just not on a regular basis yet. Both the technical environment and the threat landscape are so fluid that testing infrequently is not really effective."
Privacy and security expert Kate Borten, principal of the consultancy The Marblehead Group, also stresses that organizations should perform penetration tests on a regular basis.
"They're usually not expensive, and there are many reputable security firms able to do this. Some organizations do it themselves annually and then have an outsider do it every other year," she notes.
The June testing of the IHS network was a follow up to a separate OIG information technology general controls audit in 2011 that found IHS's network security controls were inadequate, the report notes.
While the report does not indicate specifically whether the vulnerabilities found in IHS network security pose immediate risks, OIG notes that high-risk findings necessitate "a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible."
For medium risk findings, "corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time."
IHS provides health services directly through tribally contracted and operated health programs and through services purchased from private providers. The system includes 28 hospitals, 61 health centers, and 34 health stations. In addition, 33 urban Indian health projects provide a variety of health and referral services.
During Congressional hearings into the troubled launch of the HealthCare.gov site for federally facilitated health insurance exchanges under the Affordable Care Act, some security experts expressed concerns about hackers attacking the marketplace through various federal agencies that connect to the Obamacare site and systems (see HealthCare.gov: How Secure Is It Now?).