Senate Finance Committee Chairman Chuck Grassley wants to know what the U.S. Department of Health and Human Services (HHS) is doing to address critical deficiencies in the department's cybersecurity controls and detection following an Office of Inspector General report that found numerous security gaps.
In a letter to HHS Secretary Alex Azar, Grassley (R-Iowa) is demanding that HHS provide information about how the department is addressing the issues raised in the report and the steps it is taking to follow OIG's recommendations to strengthen its cyber posture and address vulnerability gaps.
"The Department must take immediate, sustained, and effective action to reduce and eliminate these threats and better protect its systems," Grassley wrote. He is requesting written responses from HHS by April 23 and a briefing by April 30.
The OIG report, issued last month, identified security gaps across HHS networks that put systems and data at risk of a cyber attack.
OIG conducted a review of security controls across eight HHS operating divisions using network and application penetration testing to evaluate how well HHS systems were protected when subject to cyber attacks. During testing in 2016 and 2017, an outside cybersecurity firm working with OIG identified vulnerabilities in configuration management, access control, data input controls, and software patching, according to OIG’s summary report (PDF).
According to Grassley, the OIG report uncovered some critical deficiencies and issues, specifically that the likely level of sophistication needed by a prospective attacker to successfully infiltrate HHS operating division networks is low to moderate and does not require significant technical knowledge.
In addition, during testing, OIG identified 197 vulnerabilities, including 37 classified as critical.
According to a copy of the report included with Grassley's letter, HHS OIG said, "We were able to gain access to various devices on the network, escalate privileges, evade detection, and gain unauthorized access to personally identifiable information (PII) at four of the eight OPDIVs (operating divisions) that we tested."
In gaining that access, the penetrations were able to access personally identifiable information for more than 9,000 records, which included phone numbers, address information, case information, and some photographs, according to Grassley.
Further, HHS OIG found that “[v]ery little of our penetration testing activity was detected by HHS OpDiv monitoring controls," the report stated.
OIG officials shared with senior-level HHS IT leaders a “restricted roll-up report” of the testing results, the common root cause for the vulnerabilities identified and four broad recommendations that HHS should implement across its enterprise to more effectively address the vulnerabilities. OIG plans to follow up with each operating division on the progress of implementing its recommendations.
“In written comments on our draft summary report, HHS management concurred with our recommendations and described actions it has taken or plans to take to ensure they are addressed,” OIG officials said. “HHS also indicated that the operating divisions have incorporated actions to address their individual vulnerabilities and that HHS will follow up with them to ensure that these have all been addressed.”
In the report, OIG issued several recommendations which include the use of standard security requirements, requiring contractors to comply with appropriate security standards, and improving continuous monitoring procedures, according to Grassley.
Grassley is demanding that HHS provide information describing how the department has implemented fixes sufficient to close the recommendations, a timeline outlining the implementation of the recommended policies and anticipated dates of compliance.