25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

OIG to Conduct Penetration Tests to Assess HHS Application Security

Posted By on Nov 21, 2016

The Office of Inspector General (OIG) has announced that it will be continuing to assess the information security controls of the Department of Health and Human Services (HHS) in 2017 to ensure those controls meet federal information security standards.  

Audits will be conducted to assess the network security posture of the HHS. The main focus of the audits will be access controls and physical security. The audits will also look at web application and database security.

The OIG has announced that next year’s HHS audits will include penetration tests to check for vulnerabilities that could potentially be exploited by hackers to gain access to HHS systems.

State-sponsored hacking groups have been attacking government agencies with increased frequency in recent years. It is therefore essential to thoroughly assess security controls to ensure that networks and applications are not susceptible to cyberattacks.

HHS OIG Exclusions List
What You Need To Know

Get The 6 Essentials Checklist For Compliance Officers

A link to your download will be sent to your email address

Your Privacy Respected

HIPAA Journal Privacy Policy

Penetration testing will allow the OIG to assess how hackers could potentially gain access to networks and sensitive data and well as the tools and techniques that could potentially be used to attack the HHS.

The HHS will be notified of any security weaknesses that are identified to allow them to be mitigated before they can be exploited by hackers.

The OIG will also assess HHS security controls to track prescription drug reimbursements and HHS’ applications that are used to track the disbursement of prescription drugs. The OIG will also start assessing some of the privacy and security issues surrounding the use of Internet of Things devices. 

According to the OIG, The Federal Information Security Modernization Act (FISMA) requires “agencies and their contractors maintain programs that provide adequate security for all information collected, processed, transmitted, stored, or disseminated in general support systems and major applications.” The HHS’ FISMA compliance program will also be reviewed in 2017.

The OIG’s 2017 work plan can be viewed on this link.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist