OIG Audits Indicate Several Vulnerabilities at HHS Operating Divisions

Audits performed by the HHS’ Office of Inspector General (OIG) showed the HHS Operating Divisions (OPDIVs) to have several safety vulnerabilities.

From 2016 to 2017, OIG performed a number of audits at eight HHS OPDIVs to find out if enforced security controls were helpful at stopping cyberattacks. OIG additionally examined the capability of HHS OPDIVs to spot cyberattacks and the skill level attackers would most likely need to undermine OPDIV systems or get access to sensitive information.

Besides the audits of policies, and procedures and security controls, OIG made arrangements for Defense Point Security (DPS) to perform penetration tests for OIG to evaluate the efficiency of security defenses. The penetration tests were done according to government auditing requirements and decided Rules of Engagement between the OPDIVs and OIG.

At all eight HHS OPDIVs, the audits and penetration tests showed security vulnerabilities in configuration administration, access control, software patching and data input controls.
The senior-level HHS IT management received reports of the underlying causes of the problems coupled with four broad recommendations that need to be enforced throughout the entire HHS to enhance the HHS’s cybersecurity status. The HHS agreed with the four recommendations and defined the actions which are being undertaken to make sure to carry out the recommendations .

Every OPDIV was given a comprehensive report on the results of their audit and particular recommendations to enhance the efficiency of cybersecurity controls at stopping specific types of cyberattacks. Every OPDIV received the recommendations and has set a plan to address them. The HHS and OIG will follow them up to see to it that the plans were executed.

According to the audits and penetration tests results, OIG has developed a new collection of audits which are directed to determine if any of the discovered vulnerabilities were taken advantage of in historic attacks and if there are active risks on HHS networks.