IG report: ‘Significant’ vulnerabilities spotted at CMS

Servers used by the U.S. Centers for Medicare and Medicaid Studies, or CMS, carry four known vulnerabilities, each susceptible to cyberattacks, according to an Office of the Inspector General, or OIG, report published​ Wednesday.
The Department of Health and Human Services HQ / Photo by Sarah Stierch, access CC 4.0

Servers used by the Centers for Medicare and Medicaid Studies carry four known vulnerabilities that are susceptible to cyberattacks, according to an inspector general report published Wednesday.

“The vulnerabilities that we identified were collectively and, in some cases, individually significant,” the report reads.

A series of wireless network penetration tests conducted by the IG’s office between Aug. 31 to Dec. 4, 2015, identified the software bugs. The report did not provide extensive details concerning the vulnerabilities due to the sensitive nature of the findings.

[Read More: HHS cements Killoran as official CIO]


The report notes that the office has yet to find evidence the vulnerabilities were exploited by hackers. But if hackers were able to breach CMS’ systems, PII could have been stolen and network would have been disrupted, the report indicates.

“Exploitation could have resulted in unauthorized access to and disclosure of personally identifiable information, as well as disruption of critical operations … exploitation could [also] have compromised the confidentiality, integrity and availability of CMS’s data and systems,” wrote Amy Frontz, assistant inspector general for audit services.

CMS has said that the penetration tests were successful due to “improper configurations and [a] failure to complete necessary upgrades.”

Andrew Slavitt, CMS’ acting administrator, wrote in the report that his organization “concurred with all of the OIG findings and has already addressed several of the findings and is … addressing the remaining findings.”

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts