Servers used by the Centers for Medicare and Medicaid Studies carry four known vulnerabilities that are susceptible to cyberattacks, according to an inspector general report published Wednesday.
“The vulnerabilities that we identified were collectively and, in some cases, individually significant,” the report reads.
A series of wireless network penetration tests conducted by the IG’s office between Aug. 31 to Dec. 4, 2015, identified the software bugs. The report did not provide extensive details concerning the vulnerabilities due to the sensitive nature of the findings.
[Read More: HHS cements Killoran as official CIO]
The report notes that the office has yet to find evidence the vulnerabilities were exploited by hackers. But if hackers were able to breach CMS’ systems, PII could have been stolen and network would have been disrupted, the report indicates.
“Exploitation could have resulted in unauthorized access to and disclosure of personally identifiable information, as well as disruption of critical operations … exploitation could [also] have compromised the confidentiality, integrity and availability of CMS’s data and systems,” wrote Amy Frontz, assistant inspector general for audit services.
CMS has said that the penetration tests were successful due to “improper configurations and [a] failure to complete necessary upgrades.”
Andrew Slavitt, CMS’ acting administrator, wrote in the report that his organization “concurred with all of the OIG findings and has already addressed several of the findings and is … addressing the remaining findings.”