A series of penetration tests conducted on the Department of Health and Human Services revealed that several of its component offices need to improve their cybersecurity, according to a report.
The HHS inspector general hired Defense Point Security in fiscal 2016 to pen test four of its 11 operating divisions — offices like the Centers for Disease Control and Prevention, and the Food and Drug Administration, though it didn’t specify in the public report which ones — “to determine whether security controls were effective in preventing certain cyberattacks, the likely level of sophistication an attacker needs to compromise systems or data, and HHS OPDIVs’ ability to detect attacks and respond appropriately.”
Ultimately, the contractor found that “security controls across the four HHS OPDIVs needed improvement to more effectively detect and prevent certain cyberattacks,” specifically keying in on “configuration management and access control vulnerabilities,” the IG report says.
“We shared with senior-level information technology personnel the common root causes for the vulnerabilities we identified,” it explains. “We provided actionable information regarding HHS’s cybersecurity posture, information on common vulnerabilities across OPDIVs, recommendations and strategies to mitigate exploited weaknesses, key indicators to better identify signs of attack or compromise, and lessons learned during testing.”
The IG issued six “observations” to the operating divisions, which they generally concurred with, the report says. The offices since “conveyed that the vulnerabilities identified were corrected or were in the process of being corrected.”