Pen Testing of HHS Units Reveals WeaknessesOIG Report Highlights a Range of Security Concerns
Operating divisions of the Department of Health and Human Services need to shore up security controls to more effectively detect and prevent certain cyberattacks, according to a new federal watchdog report.
In a summary report issued Wednesday, the HHS Office of Inspector General highlighted several security controls that need improvement across eight HHS operating divisions. The weaknesses included configuration management, access control, data input controls and software patching, the report notes. Similar concerns have been raised in previous OIG reports.
The OIG report is based on findings from a series of audits in fiscal years 2016 and 2017 at eight unnamed HHS operating divisions. Network and web application penetration testing was conducted by a third-party contractor to determine how well HHS systems were protected when subject to cyberattacks, the study notes.
"Based on the findings of this audit, we have initiated a new series of audits looking for indicators of compromise on HHS and operating division systems to determine whether an active threat exists on HHS networks or whether there has been a past breach by threat actors," OIG says.
The report does not divulge details of the various security control vulnerabilities identified.
But OIG says it shared with senior-level HHS information technology managers "the common root causes for the vulnerabilities" discovered, information regarding HHS's cybersecurity posture, as well as "four broad recommendations" that HHS should implement to more effectively address these vulnerabilities.
OIG notes it also provided separate reports with detailed results and specific recommendations to each operating division after testing was completed. "We will be following up with each operating division on the progress of implementing our recommendations," the report states.
This isn't the first time security vulnerabilities were identified at HHS or its various operating divisions.
For instance, in a fiscal 2016 review of HHS compliance with the Federal Information Security Modernization Act of 2014, OIG identified a variety of weaknesses - including configuration management and access controls - that also were spotlighted in the latest OIG report.
The OIG's latest findings also are in line with the types of issues common at many healthcare organizations.
"The areas of concern that the OIG identified are very consistent with what is generally found when these tests are performed," says Mac McMillan, CEO of security consulting firm CynergisTek.
McMillan notes, however, that it's important to distinguish between the first three areas of weakness OIG highlighted - configuration management, access control and data input controls - and patching.
"The first three are literally failures of process that the organization is responsible for, while patch vulnerabilities are developed/identified on a regular basis. And depending on when the vulnerability was discovered in relation to when the test was performed, there may not have been a patch available yet or the organization may not have had time to apply it," he says.
'Name Your Poison'
But all of the security controls findings are potentially serious. A number of risk scenarios, including breaches, data corruption, unauthorized access and fraud, could occur as a result of these types of vulnerabilities, if they are not addressed, McMillan adds.
"A configuration management mistake could lead to system compromise. Faulty access controls could lead to a breach or data being stolen," he says. "Improper data input controls could lead to integrity issues. Missing patches could lead to systems or applications being exploited. Name your poison."
While the OIG report does not describe the recommendations made to HHS, the watchdog agency notes that HHS management concurred with the recommendations and described actions it has taken or plans to take to ensure they are implemented.
HHS also indicated that the operating divisions have started taking action to address their individual vulnerabilities and that HHS will follow up with them to ensure that these have all been addressed, the OIG notes.
"Generally, improving vulnerability management is a combination of discipline, technology and regular testing," McMillan notes. "Due to the dynamic nature of the problem, vigilance is important."
Mistakes are inevitable with the thousands of configuration and patching actions that need to be performed, he says. "Regular testing is healthy and necessary to find these issues - hopefully before the bad actors do."