Security controls across eight Department of Health and Human Services (HHS) operating divisions (OPDIVs) need improvement to better detect and counter cyberattacks, the agency’s Office of Inspector General (OIG) said in a report issued today.
In FY2016 and 2017, OIG contracted Defense Points Security to audit the OPDIVs – which the report did not identify – with both network and web application penetration testing to gauge the systems’ protection in the face of cyberattacks. The tests found vulnerabilities in configuration management, access control, data input controls, and software patching.
After sharing the root causes for the identified vulnerabilities to senior HHS information technology management, HHS made four broad recommendations for the department to implement to address the areas of risk. The public version of the report does not detail the recommendations. OIG, however, will follow up with each OPDIV on their progress of moving forward with the recommendations.
OIG also said it has initiated a new series of audits that aim to find compromises on HHS and OPDIV systems to determine whether active threats exist on HHS networks or if there have been previous breaches