Federal auditors were able to gain access to a large southeastern hospital’s internal systems after successfully capturing an employee’s login credentials during a phishing campaign, according to the HHS Office of the Inspector General.
OIG found the hospital generally had cybersecurity controls in place to protect patient care and Medicare data but identified gaps that could leave it vulnerable to cyberattacks, per the Feb. 2 report.
During testing, auditors accessed an internet-facing account management application that lacked strong user authentication controls, including multifactor authentication, allowing them to log in using credentials obtained through phishing. OIG also found a public-facing web application that didn’t have proper input validation controls and was not protected by a web application firewall, potentially exposing it to injection attacks and malicious code insertion.
The hospital, which has more than 300 beds and is part of a larger system, agreed with all four of OIG’s recommendations and said it has taken steps to address the weaknesses. OIG said the audit is part of a broader series examining hospital cybersecurity controls amid rising healthcare cyber threats and did not identify the hospital due to security concerns.
