TRENDING:

IG: HHS Must Improve Access Controls

Audit Uncovers 5 High-Risk Vulnerabilities Eric Chabrow (GovInfoSecurity) • July 25, 2014    
IG: HHS Must Improve Access Controls

The Department of Health and Human Services inspector general has criticized HHS for failing to implement security controls on the system that provides computerized access to physical facilities and computer networks.

See Also: Live Webinar Tomorrow | Cyber Resilience: Recovering from a Ransomware Attack

"Security controls over the implementation of the HSPD-12 at HHS were inadequate because essential information security requirements were not implemented," Thomas Salmon, HHS assistant inspector general, writes in a summary of an audit on the department's personal identity verification cards program.

Homeland Security Presidential Directive-12 created a policy to identify and authenticate government employees and contractors who access government buildings and computer systems.

Inconsistencies Found

Salmon says the IG review determined HHS wasn't consistent in complying with federal guidance when implementing its HSPD-12 system. The IG identified six categories of vulnerabilities, all but one deemed as high risk. They include:

  • The implementation of the HSPD-12 lacked controls to ensure that HHS met all credentialing requirements and provided training to employees who performed HSPD-12 roles. HHS failed to establish a standard in which key roles had to be held by different employees to ensure adequate separation of duties and verify integrity of PIV credentials.
  • HHS failed to deactivate PIV cards in a timely manner.
  • The department's implementation of the HSPD-12 lacked controls to ensure that management had implemented policies and procedures associated with access to the PIV system and protection of sensitive system information.
  • The data center facility's network firewall configuration policies did not comply with HHS policy or guidelines. Security management controls - including patch management, anti-virus management and configuration management - were not implemented on HSPD-12 workstations at any of the division PIV card issuance facilities that the IG audited. HHS allowed nongovernmental computers to connect to card management systems.
  • Physical security controls, which help ensure that physical access to key areas within the PIV card issuance facilities is restricted to authorized personnel, were not adequate for the PIV system.
  • Vulnerabilities were identified in 17 categories on the HHS PIV system Web portal test sites that were scanned. This was the only vulnerability that the IG did not deem high risk; it characterizes the Web vulnerability as a moderate risk.

Salmon says the IG issued only a summary of the audit because of the sensitive nature of specific findings. He did not make public the details of its recommendation, but he says HHS's Office of Security and Strategic Information had concurred with 14 of the 18 recommendations.

HHS did not respond to a request for a comment on the IG findings.

Previous
Alleged UK Hacker Charged a 3rd Time
Next
Why White House Hasn't Backed CISA

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

The State of Security Leadership
The State of Security Leadership
Critical Considerations for Generative AI Use in Healthcare
Critical Considerations for Generative AI Use in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
Inside Look: FDA's Cyber Review Process for Medical Devices
Inside Look: FDA's Cyber Review Process for Medical Devices
Why Connected Devices Are Such a Risk to Outpatient Care
Why Connected Devices Are Such a Risk to Outpatient Care
Zero Trust, Auditability and Identity Governance
Zero Trust, Auditability and Identity Governance
Why OT Security Keeps Some Healthcare Leaders Up at Night
Why OT Security Keeps Some Healthcare Leaders Up at Night
Generative AI: Embrace It, But Put Up Guardrails
Generative AI: Embrace It, But Put Up Guardrails
Why Entities Should Review Their Online Tracker Use ASAP
Why Entities Should Review Their Online Tracker Use ASAP

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.