OIG: HHS audit results reveal cybersecurity flaws in configuration, access controls

The watchdog’s biggest concern was the agency’s identity and access management at four operating divisions in 2016.
By Jessica Davis
02:37 PM
HHS cybersecurity audit

The U.S. Department of Health and Human Services security controls need improvement, and there are flaws in its configuration management and access controls, according to a new Office of the Inspector General report.

OIG audited four HHS operating divisions in 2016, penetration testing the agency’s network and web applications. The watchdog made six observations, which HHS concurred with, in general – and findings were identified by HHS and were either corrected or are in the process of being corrected.

The report was restricted and did not list specific flaws, but it’s just the latest in a series of reports that highlight the agency’s flawed security.

In March, OIG found that while HHS security programs had made slight improvements, nine areas had serious flaws. The watchdog’s biggest concern was the agency’s identity and access management. OIG found that two of HHS’ departments didn’t follow account management policies, including shared accounts and removing inactive accounts in a timely manner.

[Also: HHS task force says healthcare cybersecurity in 'critical condition']

And a Brookings Institution report from 2105 called HHS’ cybersecurity focus “abysmal.”

OIG will continue to audit HHS’ cybersecurity and incident response capabilities and will release the results in 2018.

Congress also is working to improve cybersecurity at HHS. House leaders introduced legislation in the fall to elevate cybersecurity leadership at the agency. If passed, the chief information security officer would be required to report directly to the HHS secretary – a move outlined in HIMSS’ three legislative goals for 2018.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com