OIG: Access, configuration security vulnerabilities at HHS

Operating divisions within HHS displayed configuration management and access control vulnerabilities, according to an HHS Office of Inspector General report released earlier this month.

OIG contracted with Defense Point Security, a cybersecurity provider, to conduct network and web application penetration testing at four of the agency's 11 operating divisions in fiscal year 2016. The goal of the audit was to determine whether the operating division networks were able to detect cyberattacks and whether HHS security controls were able to prevent cyberattacks.

"On the basis of the systems we tested, we determined that security controls across the four HHS [operating divisions] needed improvement to more effectively detect and prevent certain cyberattacks," the report reads.

OIG provided a restricted report of the vulnerabilities to the four operating divisions. In written comments, HHS "in general concurred with all six of our observations in the draft report," according to OIG. The four operating divisions told OIG the vulnerabilities were corrected or in the process of being corrected.

OIG noted the agency did not validate the operating divisions' corrective actions.

To access the OIG report, click here.

More articles on cybersecurity:
9 HIPAA settlement fines in 2017
Almost half of health IT pros cite email as most likely source of data breach: 4 survey insights
Trend Micro: 6 cybersecurity predictions for 2018

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Featured Content

Featured Webinars

Featured Whitepapers