A cybersecurity audit of the Division of Well being and Human Companies’ Workplace of the Secretary (HHS OS) revealed a number of severe gaps within the officer’s cloud safety practices, giving potential cyber attackers entry to delicate information and unauthorized management.
The audit was performed in June and July 2022 by the HHS Workplace of the Inspector Normal, which partnered with BreakPoint Labs to conduct penetration testing and phishing simulations, placing HHS OS’ cloud defenses to the check.
The audit additionally included a overview of the HHS OS’ cloud system insurance policies, inventories and configuration settings. The workplace’s cloud environments have been examined for vulnerabilities and misconfigurations utilizing community vulnerability scanner and cloud safety evaluation instruments.
On the time of the analysis, greater than 30% of HHS’ 1,555 programs have been cloud-based, in response to the Workplace of the Inspector Normal. The audit report was issued final week and first made public on Monday.
HHS OS cloud safety flaws uncovered delicate private information
The HHS Workplace of the Secretary is the overall supervisor of the HHS, tasked with administering and overseeing the division’s packages and actions. The HHS OS additionally serves because the chief coverage officer of the division.
HHS OS’ cloud programs host a variety of delicate information, together with authorized paperwork and knowledge on healthcare supply providers and emergency response, in response to the Workplace of the Inspector Normal. The workplace’s function as each a federal authorities company and supervisor of crucial well being programs makes it a useful goal for cyber menace actors.
The audit revealed that delicate information, together with private identifiable info (PII) was uncovered because of safety flaws in HHS OS’ cloud atmosphere implementations. Penetrations testers, who labored from a “black field” perspective mimicking a real-life attacker’s restricted preliminary data of the goal’s cloud programs, not solely gained entry to this delicate info but in addition managed to realize unauthorized management of the parts of two of the workplace’s cloud programs.
“Failure to successfully implement the required safety controls locations HHS OS cloud programs at doubtlessly greater threat of malicious assaults by unhealthy actors. The vulnerabilities we discovered could also be leveraged by adversaries who search to steal or distort delicate information, disrupt operations, and/or destroy the HHS OS cloud programs that help crucial HHS packages,” the inspector common’s report said.
A complete of 12 particular cloud system safety management gaps have been recognized by the audit. Essentially the most extreme concern found, which was given a threat score of “crucial,” was the dearth of multifactor authentication (MFA) for community entry to a few privileged accounts on one in every of HHS OS’ cloud programs.
The workplace additionally didn’t implement entry controls on three cloud storage parts to make sure delicate information was not publicly accessible, didn’t implement entry management insurance policies on 27 cloud parts to make sure customers had the least privileges vital, didn’t adequately remediate system flaws in a well timed method for 25 cloud parts, and didn’t implement net site visitors encryption on one in every of its distant servers. These 4 high-severity points, together with 5 medium and two low-severity flaws, plus the failure of the workplace to precisely establish and stock 13 of its personal cloud programs, undermine the safety posture of the federal well being company.
On the intense aspect, the simulated phishing marketing campaign revealed that safety programs blocked entry to focused consumer accounts even when workers clicked on phishing hyperlinks and tried to enter their credentials.
The outcomes of the primary part of the phishing simulation, which focused 127 HHS OS workers, confirmed no indication that any of the emails have been opened, suggesting that the workplace’s e mail filtering or different defenses blocked the supply of the phishing emails. And whereas some workers within the second part, which solely focused 19 staff, did try and enter their credentials, the lack to entry any affected accounts resulted in no suggestions from the Workplace of the Inspector Normal relating to that particular phase of the audit.
HHS safety flaws mirror ongoing dangers to healthcare, authorities programs
The publication of those audit outcomes come after a interval relentless focusing on of healthcare and authorities programs by cyber menace actors, significantly by ransomware teams and international state-backed attackers.
The spate of assaults, together with the key ransomware provide chain assault on Change Healthcare that’s at present underneath investigation by the HHS’ Workplace of Civil Rights, has spurred motion by HHS places of work to strengthen safety measures at healthcare programs throughout the nation.
For instance, the division introduced its new Common PatchinG and Remediation for Autonomous Protection program (UPGRADE) in Might, which can present $50 million in funding to enhance hospital defenses by new vulnerability detection and mitigation programs, and customised automated cyber defenses.
The HHS’ Well being Sector Cybersecurity Coordination Middle (HC3) additionally issued an alert in April warning of a social-engineering marketing campaign making an attempt to bypass MFA protections for hospital worker accounts.
Sophos State of Ransomware Report 2024 revealed that healthcare stays one of the closely focused sector for ransomware assaults, with the proportion of affected organizations rising year-over-year from 60% in 2023 to 67% in 2024.
Financially motivated attackers have additionally launched a number of assaults towards native, state and federal authorities companies over the previous 12 months, together with in an e mail hijacking assault towards HHS’ Well being Assets and Companies Administration between March and November 2023 that resulted within the theft of $7.5 million.
A significant ransomware assault towards Los Angeles County final week, which resulted within the shutdown of 36 native court docket places of work, is likely one of the most up-to-date examples of ransomware assaults focusing on authorities programs. And federal companies are removed from immune, with a White Home report revealed final month discovering a 9.9% enhance in cybersecurity incidence affecting the federal authorities between 2022 and 2023.
Earlier this month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) reported the outcomes of a 2023 red-teaming train that mimicked the ways of nation-state menace actors to check the safety of a civilian government department company. Just like the HHS audit, the exercised revealed quite a few safety shortcomings that would have devastating impacts on crucial authorities programs.
The HHS Workplace of the Inspector Normal made a number of suggestions to remediate flaws on the HHS OS, which embrace creating a process to enhance the accuracy and completion of cloud system inventories, remediating the 12 safety management points recognized within the report, leveraging cloud safety evaluation instruments to establish and remediate misconfigurations and implementing insurance policies to make sure that solely certified workers are assigned as cloud system safety officers.
