25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HHS-OIG Tells HHS to Improve Cloud Security Controls

Posted By on Jul 24, 2024

An audit of the Department of Health and Human Services (HHS) Operating Divisions by the HHS Office of Inspector General (HHS-OIG) identified an incomplete inventory of cloud systems, incorrectly implemented cloud security controls, and system security officers who lacked the necessary skills to protect cloud information systems.

HHS-OIG conducted an audit of the HHS Office of the Secretary (OS) cloud information system inventory and policies and procedures to determine whether the HHS and its operating divisions (OpDivs) had implemented effective cybersecurity controls for the cloud information systems owned, operated, or maintained by the HHS or its contractors in accordance with federal requirements.

HHS OS had identified the components within the cloud systems that HHS-OIG was able to assess; however, through interviews with HHS OS IT personnel and cross-referencing the HHS OS-provided inventory list with its HHS Federal Information Security Modernization Act (FISMA) system list for FY 2022, HHS-OIG identified 13 cloud systems that were missing from the inventory.

HHS OS officials explained that the reason why certain cloud systems were not included in the inventory was because HHS OS system owners and System Security Officers had failed to identify some of their information systems as cloud systems. There were also no documented procedures for verifying the accuracy and completeness of the inventory list. It is not possible to effectively manage cybersecurity risks without an accurate and complete inventory. The incomplete inventory meant HHS OS may not be aware of misconfigured cloud systems or unpatched vulnerabilities in the cloud systems that are not included in the inventory.

HHS OIG Exclusions List
What You Need To Know

Get The 6 Essentials Checklist For Compliance Officers

A link to your download will be sent to your email address

Your Privacy Respected

HIPAA Journal Privacy Policy

HHS OS had implemented some security controls; however, several key security controls had not been implemented correctly in line with federal regulations and guidelines. The security controls that were implemented did not prevent simulated cyberattacks conducted during HHS-OIG pen testing. In some cases, vulnerabilities were exploited, privileges were elevated to system level, and it was possible to access sensitive data such as PII and obtain unauthorized control of the components of 2 cloud systems.

One of the most serious failures was the lack of multifactor authentication for network access on three privileged accounts for one cloud system. High-risk ratings were issued in four other areas: the failure to implement access controls on three cloud storage components to prevent sensitive data from being publicly accessible, the lack of enforcement of access control policies on 27 cloud components in accordance with the principle of least privilege, system flaws were not accurately identified, reported, or corrected in a timely manner for 25 cloud components, and HHS OS did not enforce web traffic encryption on one remote server. As a result of those failures, some information stored in cloud environments could be at risk of compromise.

HHS-OIG attributed the security control issues to the appointment of HHS OS System Security Officers who lacked the necessary skill sets to adequately perform the roles and responsibilities for the job function. Those roles and responsibilities were defined in security policies, but there was no standardized process for ensuring qualified staff were assigned. Further, HHS OS failed to consistently confirm that the required security controls had been implemented in accordance with HHS security configuration guidance.

HHS-OIG recommended that procedures be developed to ensure that complete and accurate inventories are created and maintained, that all identified control findings are addressed, that cloud security tools that identified the security failures are leveraged, that any identified security issues are promptly addressed, and policies and processes are implemented to ensure that only qualified staff are appointed as System Security Officers. HHS OS concurred with all of the recommendations.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist