The 28-hospital Indian Health Service--a U.S. Department of Health & Human Services agency that provides healthcare to Native American and Alaskan Natives--failed a mock cyber attack carried out by the HHS Office of Inspector General, according to a report.
Penetration testers were able to gain unauthorized access to an IHS web server, which allowed access to the internal IHS network along with user account and password data on the system. The report labels this a high-risk vulnerability.
Testers also were able to take control of an IHS computer, which allowed access to the computer's resources, including records in the file system--which was labeled medium risk.
IHS staff were not notified beforehand, since OIG wanted to gauge their response.
The report recommends that IHS fix the vulnerability on the web server, implement more effective procedures to protect its computer systems from cyber attacks and periodically measure adherence to IHS security policies and procedures.
In addition to the 28 hospitals, IHS operates 61 health centers, 34 health stations and 33 urban Indian health projects that provide a variety of health and referral services. A 2011 audit found IHS' network security controls inadequate.
"The security vulnerabilities identified presented an increased risk that unauthorized individuals could gain access to the IHS network and potentially to the U.S. Department of Health & Human Services network," the report says of the 2011 audit.
This test, it states, was to determine whether IHS network systems were susceptible to compromise by cyber attacks.
A new HIMSS security survey found that healthcare organizations are boosting spending on their data-security efforts.
Meanwhile, a recent Ponemon Institute report found healthcare organizations making some headway in their efforts to secure patient information, though it also determined that criminal attacks on healthcare systems have risen 100 percent since its 2010 report.
HHS and the Health Information Trust Alliance recently announced a partnership to provide simulated attacks against healthcare networks and will conduct monthly threat briefings, starting in April, in an expansion of industry cyber threat preparedness and education efforts.
To learn more:
- find the report (.pdf)