The Department of Health and Human Services still needs to do more to improve its cybersecurity posture, according to a new government audit.
The new report, issued by the Office of Inspector General on Tuesday, adds to a handful of audits over the past several years raising concerns about security weaknesses across the agency.
Throughout 2016, the OIG conducted network and web application penetration testing on four operating divisions within HHS. The tests revealed the agency “needed improvement to more effectively detect and prevent certain cyberattacks,” according to the report. Auditors identified specific vulnerabilities tied to configuration management and access control.
The majority of the report was restricted but provided to HHS officials along with recommendations to mitigate exploited weaknesses.
OIG has a long history of singling out cybersecurity vulnerabilities within HHS despite incremental improvements. In March, the watchdog agency revealed nine areas where HHS still faced information security weaknesses. Nearly all of those weaknesses mirrored a similar report in 2016 that highlighted outdated policies surrounding patch management and training, inconsistent response mechanisms and incomplete action plans.
A 2015 study from the Brookings Institution called the federal health agency’s cybersecurity focus “abysmal.”
That level of scrutiny isn’t likely to let up anytime soon. OIG recently scheduled another evaluation of incident response capabilities at HHS to be published in 2018.
Meanwhile, House lawmakers have introduced legislation that would elevate cybersecurity leadership at HHS by requiring the chief information security officer to report directly to the secretary. HIMSS has made that issue one of its three legislative priorities.