25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

OIG Audits Reveal Multiple Vulnerabilities at HHS Operating Divisions

Posted By on Mar 14, 2019

Audits conducted by the HHS’ Office of Inspector General (OIG) have uncovered multiple security vulnerabilities at HHS Operating Divisions (OPDIVs).

Between 2016 and 2017, OIG conducted a series of audits at eight HHS OPDIVs to determine whether implemented security controls were effective at preventing cyberattacks. OIG also tested the ability of HHS OPDIVs to detect cyberattacks and the level of skill attackers would likely need to compromise OPDIV systems or gain access to sensitive data.

In addition to the audits of security controls, policies, and procedures, OIG arranged for Defense Point Security (DPS) to conduct penetration tests on behalf of OIG to assess the effectiveness of security protections. The penetration tests were conducted in accordance with government auditing standards and agreed-upon Rules of Engagement between OIG and the OPDIVs.

The audits and penetration tests revealed security vulnerabilities at all eight HHS OPDIVs in configuration management, access control, data input controls, and software patching.

HHS OIG Exclusions List
What You Need To Know

Get The 6 Essentials Checklist For Compliance Officers

A link to your download will be sent to your email address

Your Privacy Respected

HIPAA Journal Privacy Policy

The root causes of the problems were reported to senior-level HHS IT management along with four broad recommendations that should be implemented across the entire HHS to improve the HHS’s cybersecurity posture. The HHS concurred with all four recommendations and has described the actions that are being taken to ensure those recommendations are applied.

Each individual OPDIV was provided with a detailed report on the findings of their audit and specific recommendations to improve the effectiveness of cybersecurity controls at preventing certain types of cyberattacks. Each OPDIV accepted the recommendations and has put a plan in place to ensure they are addressed. Both the HHS and OIG will be following up to ensure those plans have been actioned.

Based on the findings of the audits and penetration tests, OIG has devised a new set of audits which aim to identify whether any of the vulnerabilities identified have been exploited in historic attacks and whether there are active threats on HHS networks.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist