The Health and Human Services (HHS) Office of Inspector General (OIG) created a summary report in March 2019 based on audits and results of penetration tests from 2016 and 2017. The summary report covered eight unnamed HHS operating divisions.
During the network and web-application, penetration tests, many vulnerabilities were discovered. Some of these vulnerabilities include issues with software patching (think missing patches), configuration management, access control, and data input controls. Many of which have been brought up in previous OIG reports, so this isn’t a new issue. Specifics on the vulnerabilities were not provided in the report as that could cause significant damage to the divisions.
OIG stated that the penetration tests were conducted by a third-party contractor. OIG wanted to know how well HHS systems were protected from and during cyberattacks.
Based on the results of the previous penetration tests, OIG is now looking for indicators that the different HHS divisions were compromised or if there is a current, active threat on the networks.
OIG also provided remediation recommendations to each of the divisions and will follow up at a later date to ensure the recommendations are implemented, or another appropriate fix was used. HHS management concurred with the recommendations. There are now plans in place to address the fixes.
Regardless of the type of vulnerabilities that were discovered, all are serious concerns. Possible ramifications can include breaches, unauthorized access and fraud, and data corruption.
The good news is penetration tests conducted by a reputable third-party can help identify vulnerabilities before a malicious actor gets to them. While penetration tests cannot protect against breaches, they can help identify the vulnerabilities, so the company can get them fixed, which will then help to protect against breaches and other issues.