An internal audit of the Department of Health and Human Services’ cybersecurity posture found that four HHS divisions need to improve their security controls, according to a summary report released Tuesday.
The HHS’s Office of Inspector General said that it conducted penetration testing on four of HHS’s 11 operating divisions throughout fiscal year 2016 with the help of contractor Defense Point Security. The summary did not specify which divisions were part of the audit, but said that OIG identified “configuration management and access control vulnerabilities.” The OIG hasn’t released the full report to the public, saying that some of the information is restricted.
The OIG says it issued recommendations to HHS to improve security controls, but didn’t specify the recommendations. The summary also said that the HHS operating divisions have corrected or are correcting the vulnerabilities, but that the OIG hasn’t validated those corrections yet.
Cybersecurity was identified as a focus area in the OIG’s 2017 report on the HHS’s “Top Management and Performance Challenges“, released in November.
“The Department must ensure that it takes appropriate actions to protect all HHS data and systems from cybersecurity threats. Similarly, HHS must protect its beneficiaries by fostering a culture of cybersecurity among its partners and stakeholders,” the challenges report read.
A requests for comment separately sent to HHS’ OIG and Defense Point Security went unanswered.