HHS audit finds severe gaps in cloud safety at company workplace – Cyber Tech

A cybersecurity audit of the Division of Well being and Human Providers’ Workplace of the Secretary (HHS OS) revealed a number of severe gaps within the officer’s cloud safety practices, giving potential cyber attackers entry to delicate information and unauthorized management.

The audit was performed in June and July 2022 by the HHS Workplace of the Inspector Basic, which partnered with BreakPoint Labs to conduct penetration testing and phishing simulations, placing HHS OS’ cloud defenses to the take a look at.

The audit additionally included a assessment of the HHS OS’ cloud system insurance policies, inventories and configuration settings. The workplace’s cloud environments have been examined for vulnerabilities and misconfigurations utilizing community vulnerability scanner and cloud safety evaluation instruments.

On the time of the analysis, greater than 30% of HHS’ 1,555 methods have been cloud-based, in keeping with the Workplace of the Inspector Basic. The audit report was issued final week and first made public on Monday.

HHS OS cloud safety flaws uncovered delicate private information

The HHS Workplace of the Secretary is the final supervisor of the HHS, tasked with administering and overseeing the division’s applications and actions. The HHS OS additionally serves because the chief coverage officer of the division.

HHS OS’ cloud methods host a spread of delicate information, together with authorized paperwork and data on healthcare supply providers and emergency response, in keeping with the Workplace of the Inspector Basic. The workplace’s position as each a federal authorities company and supervisor of vital well being methods makes it a useful goal for cyber menace actors.

The audit revealed that delicate information, together with private identifiable data (PII) was uncovered as a result of safety flaws in HHS OS’ cloud atmosphere implementations. Penetrations testers, who labored from a “black field” perspective mimicking a real-life attacker’s restricted preliminary data of the goal’s cloud methods, not solely gained entry to this delicate data but additionally managed to achieve unauthorized management of the elements of two of the workplace’s cloud methods.

“Failure to successfully implement the required safety controls locations HHS OS cloud methods at doubtlessly larger danger of malicious assaults by dangerous actors. The vulnerabilities we discovered could also be leveraged by adversaries who search to steal or distort delicate information, disrupt operations, and/or destroy the HHS OS cloud methods that assist vital HHS applications,” the inspector basic’s report acknowledged.

A complete of 12 particular cloud system safety management gaps have been recognized via the audit. Essentially the most extreme problem found, which was given a danger ranking of “vital,” was the shortage of multifactor authentication (MFA) for community entry to a few privileged accounts on one in every of HHS OS’ cloud methods.

The workplace additionally didn’t implement entry controls on three cloud storage elements to make sure delicate information was not publicly accessible, didn’t implement entry management insurance policies on 27 cloud elements to make sure customers had the least privileges obligatory, didn’t adequately remediate system flaws in a well timed method for 25 cloud elements, and didn’t implement internet site visitors encryption on one in every of its distant servers. These 4 high-severity points, together with 5 medium and two low-severity flaws, plus the failure of the workplace to precisely establish and stock 13 of its personal cloud methods, undermine the safety posture of the federal well being company.

On the intense aspect, the simulated phishing marketing campaign revealed that safety methods blocked entry to focused person accounts even when staff clicked on phishing hyperlinks and tried to enter their credentials.

The outcomes of the primary part of the phishing simulation, which focused 127 HHS OS staff, confirmed no indication that any of the emails have been opened, suggesting that the workplace’s electronic mail filtering or different defenses blocked the supply of the phishing emails. And whereas some staff within the second part, which solely focused 19 staff, did try to enter their credentials, the shortcoming to entry any affected accounts resulted in no suggestions from the Workplace of the Inspector Basic concerning that particular phase of the audit.

HHS safety flaws mirror ongoing dangers to healthcare, authorities methods

The publication of those audit outcomes come after a interval relentless concentrating on of healthcare and authorities methods by cyber menace actors, significantly by ransomware teams and overseas state-backed attackers.

The spate of assaults, together with the key ransomware provide chain assault on Change Healthcare that’s at present underneath investigation by the HHS’ Workplace of Civil Rights, has spurred motion by HHS workplaces to strengthen safety measures at healthcare methods throughout the nation.

For instance, the division introduced its new Common PatchinG and Remediation for Autonomous Protection program (UPGRADE) in Might, which is able to present $50 million in funding to enhance hospital defenses via new vulnerability detection and mitigation methods, and customised automated cyber defenses.

The HHS’ Well being Sector Cybersecurity Coordination Heart (HC3) additionally issued an alert in April warning of a social-engineering marketing campaign trying to bypass MFA protections for hospital worker accounts.  

Sophos State of Ransomware Report 2024 revealed that healthcare stays probably the most closely focused sector for ransomware assaults, with the proportion of affected organizations rising year-over-year from 60% in 2023 to 67% in 2024.

Financially motivated attackers have additionally launched a number of assaults in opposition to native, state and federal authorities businesses over the previous 12 months, together with in an electronic mail hijacking assault in opposition to HHS’ Well being Assets and Providers Administration between March and November 2023 that resulted within the theft of $7.5 million.

A significant ransomware assault in opposition to Los Angeles County final week, which resulted within the shutdown of 36 native courtroom workplaces, is among the most up-to-date examples of ransomware assaults concentrating on authorities methods. And federal businesses are removed from immune, with a White Home report printed final month discovering a 9.9% enhance in cybersecurity incidence affecting the federal authorities between 2022 and 2023.

Earlier this month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) reported the outcomes of a 2023 red-teaming train that mimicked the techniques of nation-state menace actors to check the safety of a civilian government department company. Just like the HHS audit, the exercised revealed quite a few safety shortcomings that would have devastating impacts on vital authorities methods.

The HHS Workplace of the Inspector Basic made a number of suggestions to remediate flaws on the HHS OS, which embrace creating a process to enhance the accuracy and completion of cloud system inventories, remediating the 12 safety management points recognized within the report, leveraging cloud safety evaluation instruments to establish and remediate misconfigurations and implementing insurance policies to make sure that solely certified employees are assigned as cloud system safety officers.