OIG finds vulnerabilities in HHS cybersecurity controls, detection—report

Security lock on computer data
An OIG audit revealed that security controls across eight HHS operating divisions need improvement to more effectively detect and prevent certain cyber attacks. (Getty/gintas77)

There are security gaps across U.S. Department of Health and Human Services networks that put systems and data at risk of a cyber attack, according to a report (PDF) from the Office of the Inspector General.

OIG conducted a review of security controls across eight HHS operating divisions using network and application penetration testing to evaluate how well HHS systems were protected when subject to cyber attacks.

During testing in 2016 and 2017, an outside cybersecurity firm working with OIG identified vulnerabilities in configuration management, access control, data input controls, and software patching, according to OIG’s summary report.


2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

OIG determined that security controls across the eight HHS operating divisions needed improvement to “more effectively detect and prevent certain cyber attacks.”

RELATED: GAO says CMS needs to do more to protect Medicare data

“Our objectives were to determine whether security controls were effective in preventing certain cyber attacks, the likely level of sophistication an attacker needs to compromise systems or data, and HHS operating divisions’ ability to detect attacks and respond appropriately,” OIG said in the report.

Based on the findings of the audit, OIG has now initiated a more in-depth review looking for indicators of compromise on HHS and operating division systems to determine “whether an active threat exists on HHS networks or whether there has been a past breach by threat actors,” OIG said.

OIG officials shared with senior-level HHS IT leaders a “restricted roll-up report” of the testing results, the common root cause for the vulnerabilities identified and four broad recommendations that HHS should implement across its enterprise to more effectively address the vulnerabilities. OIG plans to follow up with each operating division on the progress of implementing its recommendations.

RELATED: Healthcare.gov portal back online as OIG investigates data breach

“In written comments on our draft summary report, HHS management concurred with our recommendations and described actions it has taken or plans to take to ensure they are addressed,” OIG officials said. “HHS also indicated that the operating divisions have incorporated actions to address their individual vulnerabilities and that HHS will follow up with them to ensure that these have all been addressed.”  

In December, HHS published voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients. That guidance was developed over two years with assistance provided by more than 150 cybersecurity and healthcare experts from industry and the government.

That industry guidance explores the five most relevant and current threats to the industry, and also recommends 10 cybersecurity practices to help mitigate these threats.

The publication “demonstrates the department’s continued commitment to enhancing the security and resilience of the healthcare and public health sector,” HHS officials said in a press release about the guidance.

Suggested Articles

What are some of the biggest challenges for independent medical practices?

Researchers at two universities plan to develop an autonomous trauma care system that uses robotics and artificial intelligence to treat soldiers.

CMS Administrator Seema Verma said it will be crucial to have more conversations on how to address emerging—and expensive—therapies.