A cybersecurity audit of the Office of the Secretary of Health and Human Services (HHS OS) has uncovered several critical vulnerabilities in the administrator’s cloud security practices, allowing potential cyberattackers to gain unauthorized access to sensitive data and control.
The audit was conducted in June and July 2022 by the Department of Health and Human Services’ Office of Inspector General, which partnered with BreakPoint Labs to conduct penetration testing and phishing simulations, putting the defenses of the Department of Health and Human Services’ cloud operating system to the test.
The audit also included a review of HHS cloud system policies, inventories, and configuration settings. The office’s cloud environments were tested for vulnerabilities and misconfigurations using a network vulnerability scanner and cloud security assessment tools.
At the time of the assessment, more than 30 percent of the Department of Health and Human Services’ 1,555 systems were cloud-based, according to the inspector general’s office. The audit report was released last week and first made public Monday.
HHS Cloud Security Vulnerabilities Expose Sensitive Personal Data
The Office of the Secretary of the Department of Health and Human Services is the Director-General of the Department, responsible for administering and overseeing the Department's programs and activities. The Office of the Secretary of the Department of Health and Human Services also serves as the Department's chief policy officer.
The Department of Health and Human Services’ cloud computing systems host a range of sensitive data, including legal documents and information related to health care delivery and emergency response services, according to the Office of the Inspector General. The office’s role as a federal government agency and manager of critical health systems makes it a valuable target for cyberthreat actors.
The audit revealed that sensitive data, including personally identifiable information (PII), was exposed due to security flaws in HHS OS’s cloud implementations. Penetration testers, operating from a “black box” perspective that mimicked a real attacker’s limited initial knowledge of the target’s cloud systems, were not only able to access this sensitive information, but were also able to gain unauthorized control over components of two of the office’s cloud systems.
“Failure to effectively implement required security controls exposes HHS cloud computing systems to greater risk of malicious attacks by bad actors. Adversaries could exploit the vulnerabilities we found in an attempt to steal or distort sensitive data, disrupt operations, and/or destroy HHS cloud computing systems that support critical HHS programs,” the inspector general’s report said.
A total of 12 specific cloud security control vulnerabilities were identified through the audit. The most severe issue discovered, rated “critical,” was the lack of multi-factor authentication (MFA) for network access for three privileged accounts on one of the Department of Health and Human Services’ cloud systems.
The office also failed to implement access controls on three cloud storage components to ensure that sensitive data was not made publicly available, failed to enforce access control policies on 27 cloud components to ensure that users had the least necessary privileges, failed to adequately address system flaws in a timely manner on 25 cloud components, and failed to enforce encryption of web traffic on one of its remote servers. These four high-risk issues, along with five medium-risk flaws and two low-risk flaws, and the office’s failure to accurately identify and inventory 13 of its cloud systems, undermine the federal health agency’s security posture.
On the bright side, the simulated phishing campaign revealed that security systems blocked access to targeted user accounts even when employees clicked on the phishing links and tried to enter their credentials.
The results of the first phase of the phishing simulation, which targeted 127 employees at the Department of Health and Human Services’ operating system, showed no indication that any of the emails were opened, suggesting that the office’s email filtering or other defenses prevented the phishing messages from being delivered. While some employees in the second phase, which targeted only 19 workers, attempted to enter their credentials, the inability to access any affected accounts did not result in any recommendations from the OIG regarding that specific part of the audit.
The security flaws at the Department of Health and Human Services reflect the ongoing risks to health care and government systems.
The publication of the findings of this review comes after a period of continued targeting of healthcare and government systems by cyber threat actors, particularly by ransomware groups and foreign state-backed attackers.
The flood of attacks, including a major supply chain attack on Change Healthcare that is currently under investigation by the Department of Health and Human Services’ Office for Civil Rights, has prompted HHS offices to take action to strengthen security measures in health care systems across the country.
For example, the department announced its new Universal Patching and Remediation for Autonomous Defense (UPGRADE) program in May, which will provide $50 million in funding to improve hospital defenses through new vulnerability detection and mitigation systems and customized automated cyber defenses.
The U.S. Department of Health and Human Services' Health Cybersecurity Coordination Center (HC3) also issued an alert in April warning of a social engineering campaign attempting to bypass two-factor authentication protection for hospital employee accounts.
The Sophos State of Ransomware 2024 report reveals that healthcare remains one of the most targeted sectors for ransomware attacks, with the percentage of organizations affected increasing year-on-year from 60% in 2023 to 67% in 2024.
Financially motivated attackers have also launched several attacks against local, state, and federal government agencies over the past year, including an email hijacking attack against the Department of Health and Human Services' Health Resources and Services Administration between March and November 2023 that resulted in the theft of $7.5 million.
The massive ransomware attack on Los Angeles County last week, which shut down 36 local court offices, is the latest example of ransomware attacks targeting government systems. Federal agencies are far from immune to the onslaught, with a White House report released last month finding a 9.9% increase in cybersecurity incidents affecting the federal government between 2022 and 2023.
Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency announced the results of its 2023 Red Team exercise, which mimicked the tactics of nation-state actors to test the security of a civilian executive branch agency. Like the HHS audit, the exercise revealed numerous security deficiencies that could have devastating effects on critical government systems.
The HHS OIG made several recommendations to address the flaws in HHS’s operating system, including developing a process to improve the accuracy and completeness of cloud systems inventory, addressing the 12 security control issues identified in the report, leveraging cloud security assessment tools to identify and fix misconfigurations, and implementing policies to ensure that only qualified personnel are assigned as cloud systems security administrators.
