Operating divisions within HHS displayed configuration management and access control vulnerabilities, according to an HHS Office of Inspector General report released earlier this month.
OIG contracted with Defense Point Security, a cybersecurity provider, to conduct network and web application penetration testing at four of the agency's 11 operating divisions in fiscal year 2016. The goal of the audit was to determine whether the operating division networks were able to detect cyberattacks and whether HHS security controls were able to prevent cyberattacks.
"On the basis of the systems we tested, we determined that security controls across the four HHS [operating divisions] needed improvement to more effectively detect and prevent certain cyberattacks," the report reads.
OIG provided a restricted report of the vulnerabilities to the four operating divisions. In written comments, HHS "in general concurred with all six of our observations in the draft report," according to OIG. The four operating divisions told OIG the vulnerabilities were corrected or in the process of being corrected.
OIG noted the agency did not validate the operating divisions' corrective actions.
To access the OIG report, click here.