In March 2019, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its summary report of penetration testing of certain HHS Operating Division networks. The purpose of the audits was to determine whether the Operating Divisions’ existing security controls were effective to prevent cyberattacks, the level of sophistication that an attacker would need to compromise the Divisions’ systems or data, and the Operating Divisions’ ability to detect and respond to cyberattacks.
The OIG conducted penetration testing at eight HHS Operating Divisions in fiscal years 2016 and 2017. Following this testing, the OIG concluded that the existing security controls at the audited HHS Operating Divisions needed to be improved to better detect and protect against cyberattacks. The OIG informed HHS of a number of vulnerabilities, including issues with access control, data input controls, configuration management and software patching.
Following the audits, the OIG provided HHS with four recommendations to implement across its operations to address the identified vulnerabilities. The OIG summary report noted that HHS management agreed with the OIG’s recommendations and that HHS and the eight Operating Divisions audited have or are working to implement the recommendations.
After the initial audit findings, the OIG summary report details how the OIG is working on new audits, reviewing for active threats on HHS networks, as well as past breaches by threat actors.
The OIG’s audits of the HHS Operating Divisions serves as a reminder to health care entities to review their own cybersecurity processes and controls and to take steps to address and mitigate any identified issues.
Copyright © 2019, American Health Lawyers Association, Washington, DC. Reprint permission granted.