OIG finds 'significant' security flaws in CMS' wireless networks
The wireless networks of the Centers for Medicare and Medicaid Services have "significant" vulnerabilities, according to penetration tests administered by the Office of Inspector General.
OIG administered penetration tests to 13 CMS data centers and facilities from Aug. 31, 2015, to Dec. 4, 2015, during which, it simulated certain wireless cyberattacks with tools and techniques commonly used by cybercriminals.
While CMS had "effective" security controls that could prevent certain types of certain wireless cyberattacks, according to the report, OIG discovered four vulnerabilities in its wireless network security controls.
There was no evidence these vulnerabilities were exploited, according to the report. However, exploitation would have led to unauthorized access, disclosure of personally identifiable information, disruption of critical operations and could have compromised the integrity of CMS data and systems.
"We recommended that CMS improve its security controls to address the wireless network vulnerabilities we identified," said OIG officials in the report. "When implemented, these recommendations should further strengthen the information security of CMS's wireless networks.
"The assumption of risk is part of the security control process and each U.S. Department of Health and Human Services operating division has the authority to make risk-based decisions," they added. "The justification of risk acceptance must be documented and should be certified by the appropriate operating division management."
The agency didn't reveal the specific vulnerabilities or its recommendations due to the sensitive nature of the findings.
CMS was notified of the specific details found by OIG and concurred with the findings, according to the report. Several of the security issues have been addressed by CMS. Further, CMS accepted the risk of some vulnerabilities.
"CMS acknowledges that risks exist inherently for every IT system and that as technology progresses, additional safeguards will be needed," CMS Acting Administrator Andy Slavitt said in response to OIG.
"Through the enforcement of documented policies and procedures, as well as dedicated information security staff, CMS protects the security and privacy of data," he added. "CMS appreciates the OIG's suggestion of controls and processes that could be improved to further reduce or mitigate risk."