OIG to Conduct Penetration Tests to Assess HHS Application Security
The Office of Inspector General (OIG) has announced that it will be continuing to assess the information security controls of the Department of Health and Human Services (HHS) in 2017 to ensure those controls meet federal information security standards.
Audits will be conducted to assess the network security posture of the HHS. The main focus of the audits will be access controls and physical security. The audits will also look at web application and database security.
The OIG has announced that next year’s HHS audits will include penetration tests to check for vulnerabilities that could potentially be exploited by hackers to gain access to HHS systems.
State-sponsored hacking groups have been attacking government agencies with increased frequency in recent years. It is therefore essential to thoroughly assess security controls to ensure that networks and applications are not susceptible to cyberattacks.
Penetration testing will allow the OIG to assess how hackers could potentially gain access to networks and sensitive data and well as the tools and techniques that could potentially be used to attack the HHS.
The HHS will be notified of any security weaknesses that are identified to allow them to be mitigated before they can be exploited by hackers.
The OIG will also assess HHS security controls to track prescription drug reimbursements and HHS’ applications that are used to track the disbursement of prescription drugs. The OIG will also start assessing some of the privacy and security issues surrounding the use of Internet of Things devices.
According to the OIG, The Federal Information Security Modernization Act (FISMA) requires “agencies and their contractors maintain programs that provide adequate security for all information collected, processed, transmitted, stored, or disseminated in general support systems and major applications.” The HHS’ FISMA compliance program will also be reviewed in 2017.
The OIG’s 2017 work plan can be viewed on this link.