[BreachExchange] OIG Finds Vulnerabilities in HHS Security Controls, Detection

Destry Winant destry at riskbasedsecurity.com
Tue Mar 19 02:59:13 EDT 2019


 Department of Health and Human Services’ Operating Divisions (OPDIVs)
needs to improve its security controls to more effectively detect and
prevent cyberattacks, according to a new Office of Inspector General

Officials said they conducted audits during fiscal years 2016 and 2017
at eight OPDIVs sites by pen testing network and web applications. The
goal was to determine the effectiveness of HHS security controls in
preventing cyberattacks, as well as how sophisticated an attack needs
to be to compromise the network.

OIG also assessed the ability of these sites to detect and respond to
cyberattacks, by contracting with Defense Point Security to conduct
the pen testing. Officials found that the security controls of all
eight sites needed improvement to better detect and prevent attacks.

The pen testing revealed vulnerabilities in access controls,
configuration management, data input controls, and software patching.
Officials provided HHS with the root causes for these vulnerabilities
and four recommendations the agency should implement across its
enterprise to remediate the issues.

What’s notable is that while OIG did not reveal the specific
vulnerabilities nor the recommendations, officials said they’ve
initiated a new series of “audits looking for indicators of compromise
on HHS and OPDIV systems to determine whether an active threat exists
on HHS networks or whether there has been a past breach by threat
actors” – based on its most recent audit findings.

HHS was also provided separate reports that detailed the specific
recommendations for each OPDIVs site. The officials concurred with
OIG’s findings and recommendations and provided the watchdog with the
actions it is taking or plans to take to address the vulnerabilities.

“HHS also indicated that the OPDIVs have incorporated actions to
address their individual vulnerabilities and that HHS will follow up
with them to ensure that these have all been addressed,” officials

OIG is responsible for conducting routine audits on security measures
for all federal agencies. Last March, an audit of HHS found the agency
had improved its security program, but it still struggled with risk
management, identity and access management, and other areas.

Most recently, an OIG audit of the National Institutes of Health found
security risks in NIH data sharing processes and controls. But NIH did
not concur with the findings to develop a security framework, conduct
a risk assessment, or implement additional data and security controls.

More information about the BreachExchange mailing list