Weak Cloud Security Controls at the Administration for Children and Families Have Put Sensitive Data at Risk
The Department of Health and Human Services (HHS) Administration for Children and Families (ACF) has put the sensitive data of families and children at risk by failing to address security gaps in its cloud environment, according to a recent audit by the HHS Office of Inspector General (HHS-OIG).
HHS-OIG is conducting a series of audits of HHS divisions to determine if they have implemented effective cybersecurity controls for their cloud environments and are compliant with federal security requirements and guidelines. For the audit, HHS-OIG reviewed ACF’s cloud inventory, policies and procedures, and the configuration settings of ACF vulnerability scanners. Penetration tests were also conducted internally and externally on selected cloud information systems and web applications, and phishing tests were conducted on ACF personnel.
While ACF had implemented security controls to protect its cloud information systems and data, HHS-OIG identified gaps in its security controls and vulnerabilities that could be exploited by malicious actors to gain access to systems and the sensitive data of families and children. One of the main problems stemmed from its inventory of cloud computing assets, which was not comprehensive. HHS-OIG said ACF did not accurately identify all of its cloud computing assets because ACF did not establish policies and procedures to inventory and monitor cloud information system components.
If components are missed from the inventory, security controls to prevent unauthorized access may be overlooked, resulting in those components not being adequately secured and websites may be left vulnerable because they are not kept up-to-date, with patches missed and misconfigurations not identified. While HHS-OIG did not identify compromises, the identified vulnerabilities could be exploited resulting in modifications to cloud systems and the execution of system commands to allow sensitive data to be accessed, including the personally identifiable information of families and children. If assets are not being monitored, there is a risk that threat-hunting efforts may not identify compromises, giving adversaries the freedom to attack other components undetected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HHS-OIG also found that ACF did not perform adequate cloud and web application technical testing techniques against its systems to proactively identify the vulnerabilities HHS-OIG discovered, potentially putting data at a high risk of compromise. While ACF had implemented security controls to protect its cloud information systems, HHS-OIG identified several other security controls that had not been implemented that are stipulated in federal requirements and guidelines.
HHS-OIG made several recommendations on how ACF should improve the security of its cloud information systems. The audit uncovered 19 security controls that need to be improved, cloud security procedures should be updated, tests should be conducted on cloud information systems that emulate the tactics, techniques, and procedures of adversaries, and ACF must update and maintain a complete and accurate inventory of its cloud information systems and components. HHS-OIG also recommended that ACF leverage cloud security assessment tools to identify weak cybersecurity controls and misconfiguration. ACF concurred with all of HHS-OIG’s recommendations and described the actions that will be taken to address the identified issues.