OIG Audits Reveal Multiple Vulnerabilities at HHS Operating Divisions
Audits conducted by the HHS’ Office of Inspector General (OIG) have uncovered multiple security vulnerabilities at HHS Operating Divisions (OPDIVs).
Between 2016 and 2017, OIG conducted a series of audits at eight HHS OPDIVs to determine whether implemented security controls were effective at preventing cyberattacks. OIG also tested the ability of HHS OPDIVs to detect cyberattacks and the level of skill attackers would likely need to compromise OPDIV systems or gain access to sensitive data.
In addition to the audits of security controls, policies, and procedures, OIG arranged for Defense Point Security (DPS) to conduct penetration tests on behalf of OIG to assess the effectiveness of security protections. The penetration tests were conducted in accordance with government auditing standards and agreed-upon Rules of Engagement between OIG and the OPDIVs.
The audits and penetration tests revealed security vulnerabilities at all eight HHS OPDIVs in configuration management, access control, data input controls, and software patching.
The root causes of the problems were reported to senior-level HHS IT management along with four broad recommendations that should be implemented across the entire HHS to improve the HHS’s cybersecurity posture. The HHS concurred with all four recommendations and has described the actions that are being taken to ensure those recommendations are applied.
Each individual OPDIV was provided with a detailed report on the findings of their audit and specific recommendations to improve the effectiveness of cybersecurity controls at preventing certain types of cyberattacks. Each OPDIV accepted the recommendations and has put a plan in place to ensure they are addressed. Both the HHS and OIG will be following up to ensure those plans have been actioned.
Based on the findings of the audits and penetration tests, OIG has devised a new set of audits which aim to identify whether any of the vulnerabilities identified have been exploited in historic attacks and whether there are active threats on HHS networks.