The Department of Health and Human Services’ Office of the Inspector General says it instituted an ongoing series of cybersecurity audits on HHS networks in response to what it found during penetration tests in fiscal 2016-17.
The public version of the report does not specify DPS’s methods or what the company found in trying to “red team” the department’s networks. Overall, the project covered eight of HHS’s 11 operating divisions (OPDIVs) over two years.
“During testing, we identified vulnerabilities in configuration management, access control, data input controls, and software patching,” the report says.
OIG says HHS cooperated with the testing and accepted the inspector general’s recommendations.
“[W]e have initiated a new series of audits looking for indicators of compromise on HHS and OPDIV systems to determine whether an active threat exists on HHS networks or whether there has been a past breach by threat actors,” the report summary says.
The OIG says it will be following up with each OPDIV to ensure specific issues are addressed.
“We shared with senior-level HHS information technology management the common root causes for the vulnerabilities we identified, information regarding HHS’s cybersecurity posture, and four broad recommendations that HHS should implement across its enterprise to more effectively address these vulnerabilities,” the OIG says. “We also provided separate reports with detailed results and specific recommendations to each OPDIV after testing was completed.”
The fiscal 2017 testing essentially doubled the number of OPDIVs covered by the OIG project — four were initially tested in fiscal 2016.