- The Department of Health and Human Services’ Operating Divisions (OPDIVs) needs to improve its security controls to more effectively detect and prevent cyberattacks, according to a new Office of Inspector General report.
Officials said they conducted audits during fiscal years 2016 and 2017 at eight OPDIVs sites by pen testing network and web applications. The goal was to determine the effectiveness of HHS security controls in preventing cyberattacks, as well as how sophisticated an attack needs to be to compromise the network.
OIG also assessed the ability of these sites to detect and respond to cyberattacks, by contracting with Defense Point Security to conduct the pen testing. Officials found that the security controls of all eight sites needed improvement to better detect and prevent attacks.
The pen testing revealed vulnerabilities in access controls, configuration management, data input controls, and software patching. Officials provided HHS with the root causes for these vulnerabilities and four recommendations the agency should implement across its enterprise to remediate the issues.
What’s notable is that while OIG did not reveal the specific vulnerabilities nor the recommendations, officials said they’ve initiated a new series of “audits looking for indicators of compromise on HHS and OPDIV systems to determine whether an active threat exists on HHS networks or whether there has been a past breach by threat actors” – based on its most recent audit findings.
HHS was also provided separate reports that detailed the specific recommendations for each OPDIVs site. The officials concurred with OIG’s findings and recommendations and provided the watchdog with the actions it is taking or plans to take to address the vulnerabilities.
“HHS also indicated that the OPDIVs have incorporated actions to address their individual vulnerabilities and that HHS will follow up with them to ensure that these have all been addressed,” officials wrote.
OIG is responsible for conducting routine audits on security measures for all federal agencies. Last March, an audit of HHS found the agency had improved its security program, but it still struggled with risk management, identity and access management, and other areas.
Most recently, an OIG audit of the National Institutes of Health found security risks in NIH data sharing processes and controls. But NIH did not concur with the findings to develop a security framework, conduct a risk assessment, or implement additional data and security controls.