OIG finds vulnerabilities in HHS cybersecurity controls, detection—report

Security lock on computer data
An OIG audit revealed that security controls across eight HHS operating divisions need improvement to more effectively detect and prevent certain cyber attacks. (Getty/gintas77)

There are security gaps across U.S. Department of Health and Human Services networks that put systems and data at risk of a cyber attack, according to a report (PDF) from the Office of the Inspector General.

OIG conducted a review of security controls across eight HHS operating divisions using network and application penetration testing to evaluate how well HHS systems were protected when subject to cyber attacks.

During testing in 2016 and 2017, an outside cybersecurity firm working with OIG identified vulnerabilities in configuration management, access control, data input controls, and software patching, according to OIG’s summary report.

OIG determined that security controls across the eight HHS operating divisions needed improvement to “more effectively detect and prevent certain cyber attacks.”

RELATED: GAO says CMS needs to do more to protect Medicare data

“Our objectives were to determine whether security controls were effective in preventing certain cyber attacks, the likely level of sophistication an attacker needs to compromise systems or data, and HHS operating divisions’ ability to detect attacks and respond appropriately,” OIG said in the report.

Based on the findings of the audit, OIG has now initiated a more in-depth review looking for indicators of compromise on HHS and operating division systems to determine “whether an active threat exists on HHS networks or whether there has been a past breach by threat actors,” OIG said.

OIG officials shared with senior-level HHS IT leaders a “restricted roll-up report” of the testing results, the common root cause for the vulnerabilities identified and four broad recommendations that HHS should implement across its enterprise to more effectively address the vulnerabilities. OIG plans to follow up with each operating division on the progress of implementing its recommendations.

RELATED: Healthcare.gov portal back online as OIG investigates data breach

“In written comments on our draft summary report, HHS management concurred with our recommendations and described actions it has taken or plans to take to ensure they are addressed,” OIG officials said. “HHS also indicated that the operating divisions have incorporated actions to address their individual vulnerabilities and that HHS will follow up with them to ensure that these have all been addressed.”  

In December, HHS published voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients. That guidance was developed over two years with assistance provided by more than 150 cybersecurity and healthcare experts from industry and the government.

That industry guidance explores the five most relevant and current threats to the industry, and also recommends 10 cybersecurity practices to help mitigate these threats.

The publication “demonstrates the department’s continued commitment to enhancing the security and resilience of the healthcare and public health sector,” HHS officials said in a press release about the guidance.