Multiple Flaws Found in HHS Security Posture Following Pen Tests

Dan Gunderman

The U.S. Department of Health and Human Services (HHS) apparently has a long way to go to get its cyber security practices in order.

At least that’s what the Office of the Inspector General (OIG) has found. Results have been published in their latest report.

According to the OIG, HHS has flaws in its configuration management and access controls.

The watchdog’s report indicates that they carried out “a series of OIG audits at four HHS Operating Divisions (OPDIVs) using network and web application penetration testing to determine how well HHS systems were protected when subject to cyberattacks.”

The audit came back in 2016, when the OIG conducted tests at the four HHS OPDIVs. Subject matter experts at Defense Point Security were contracted to carry out the relevant penetration testing.

The audit found that “security controls across the four HHS OPDIVs needed improvement to more effectively detect and prevent certain cyberattacks.”

In its audit, the watchdog reported configuration management and access control vulnerabilities.

See Related: Cyber Security Spending Is Going Up And Here's Why

Furthermore, the OIG shared the findings with senior-level information technology personnel, provided “actionable information” about the HHS’s cyber security posture and on common vulnerabilities. The office also provided recommendations and strategies for mitigating the weaknesses.

The office said that the HHS concurred with the reported findings – which did not pinpoint specific flaws.

“The four HHS OPDIVs that were part of the penetration testing generally concurred with our summary findings and conveyed that the vulnerabilities identified were corrected or were in the process of being corrected,” the report reads.

Similarly, according to Healthcare IT News, the same office announced identity and access management (IAM) flaws embedded in the HHS network earlier this year. The OIG reportedly discovered that two HHS departments did not follow account management policies.

See Related: Incident Of The Week: Unsecure Cloud Could Have Compromised 123M Americans

A Brookings Institution report from 2015 labeled the HHS security posture as “abysmal,” according to the same site.

The audit over the federal government’s healthcare department will continue, and the OIG will reportedly release more results in 2018.

The news report also outlines efforts made in Congress to improve the department’s cyber security practices – one measure being a different leadership and reporting structure. Should the legislation go into effect, the HHS chief information security officer would report to the HHS secretary.

While the OIG findings don’t quite bode well for the large-enterprise layout, they stand to show that routine maintenance, diligence and even pen testing (and other red team activities) remain pivotal resources in improving the overall security dynamic of a company or agency.

Demanded visibility and transparency are factors in the HHS audit that will ultimately help improve the department’s shaky footing. The same variables work for any enterprise environment – SME or large enterprise, and across industries.

Photo credit: