- Wireless penetration tests at 13 data centers operated by CMS revealed “significant” cybersecurity gaps, a new report by HHS Office of Inspector General says.
- While CMS’ security controls were effective in preventing some types of wireless cyberattacks, the test identified four vulnerabilities that could lead to unauthorized access and use.
- OIG conducted the tests between Aug. 31 and Dec. 4, 2015, simulating certain wireless cyberattacks using tools and techniques frequently used by hackers.
The vulnerabilities were due to improper configurations and not completing upgrades that CMS had previously identified as being needed, according to OIG. The findings add fuel to a growing consensus that cybersecurity efforts within the healthcare industry still need some work.
“The assumption of risk is part of the security control process and each U.S. Department of Health and Human Services operating division has the authority to make risk-based decisions,” the report says. “The justification of risk acceptance must be documented and should be certified by the appropriate operating division management.”
OIG urged CMS to address the vulnerabilities, but did not detail its recommendations in the report.
In response to the OIG review, CMS acting Administrator Andy Slavitt said, “CMS acknowledges that risks exist inherently for every IT system and that as technology progresses, additional safeguards will be needed.” He added that the agency has already addressed several of the concerns and is working to rectify the remaining ones.