Cloud Security , Healthcare , Industry Specific
Report: HHS Needs to Beef Up Cloud Security and Skills
Inspector General Says HHS Cloud Systems Are Potentially at Risk of CompromiseThe Department of Health and Human Services is facing some of the same cloud security problems as the healthcare organizations it regulates: weaknesses in a dozen different cloud security controls and inventories of cloud systems, according to an inspector general's audit report.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
More than 30% of HHS' 1,555 systems were based in the cloud in 2022, and a report released Monday by the HHS Office of Inspector General criticizes the agency's cloud inventory process, worker skills and cybersecurity control weaknesses, such as a lack of multifactor authentication for privileged accounts and web traffic encryption for one remote server. The report says HHS "may potentially be at a risk of compromise."
Experts say the issues raised by the inspector general, such as the danger of default configurations on unmanaged servers - and deviation from HHS policies and National Institute of Standards and Technology guidelines - is a common problem at nearly all healthcare-related organizations.
"Organizations assume that the cloud provider is performing all the necessary things to ensure security and compliance for their environment, which far too often is not the case," said Steve Akers, CISO of privacy and security consulting firm Clearwater and CTO for the company's managed security services team.
The audit, which included all cloud systems owned, operated and maintained by HHS OS or its managed service provider contractors, included an examination of HHS' cloud system policies and procedures, inventories and configuration settings using both a network vulnerability scanner and a cloud security assessment tool to identify vulnerabilities and misconfigurations, HHS OIG said.
The inspector general also hired a third-party ethical hacker, BreakPoint Labs, to perform a penetration test on selected HHS cloud systems in June and July 2022 to determine whether the controls in place would detect or prevent cyberattacks.
Key Findings
The examination found that that while HHS accurately identified the components within the cloud systems assessed for the audit, HHS OS did not accurately identify and inventory all of its cloud systems in accordance with HHS security requirements.
"HHS OS does not have any documented procedures to verify that its cloud system inventories are accurate and complete. As a result, HHS OS may not be effectively managing cybersecurity risks for all of its cloud systems," the report said.
"For example, HHS OS may be unaware that a misconfigured or unpatched cloud system susceptible to a cyberattack exists in its environment because the system was not inventoried, thereby making it unlikely that the system will be scheduled for patching to reduce the risk of a cyberattack."
The audit also revealed that although HHS implemented various security controls to protect its cloud systems - at least 12 key security controls - including multifactor authentication for privileged accounts and web traffic encryption for one remote server - were not effectively implemented in accordance with federal requirements and guidelines.
"This occurred because certain HHS OS system owners and system security officers did not identify some of their information systems as cloud systems in accordance with HHS requirements," HHS OIG said. HHS OS system security officers, who are most often assigned by business or system owners, "do not always have the skill sets or experience necessary to adequately perform the roles and responsibilities for the job function as defined by NIST," the report said.
"Although system security officer roles and responsibilities are defined in HHS security policies, there is no standardized process for ensuring qualified system security officers are selected," HHS OIG said.
"This adversely effects HHS OS's ability to ensure security controls are effectively implemented. As a result, HHS OS data stored in the cloud systems we examined may potentially be at a risk of compromise."
HHS OIG Recommendations
HHS OIG made several recommendations to HHS about addressing the concerns, and HHS in written comments accompanying the report said it concurred with and would implement the suggestions.
The recommendations include having HHS: develop a procedure to ensure cloud system inventories are accurate and completed in compliance with HHS security requirements, remediate the 12 control weakness findings in accordance with NIST, implement a strategy that includes leveraging cloud security assessment tools to identify misconfigurations and other control weaknesses in its cloud services, and remediate weak controls in a timely manner.
HHS OIG also recommended that HHS develop and implement a policy and process to ensure qualified staff are assigned as system security officers for its cloud systems.
HHS did not immediately respond to Information Security Media Group's request for comment on the HHS OIG report.
Common Challenges
Some of the HHS OIG findings are similar to the kinds of cloud security control and management issues that many healthcare sector entities encounter, some experts said.
Tom Walsh, president of consulting firm twSecurity, said entities need to carefully read the fine print in their cloud service agreements.
"Most have some type of shared security responsibilities between the cloud service provider and customer. People sometimes assume that the cloud service provider is handling something - such as patch management - on their behalf when that is not the case," he said. "These services might be available but at an additional cost to the customer."
Walsh also recommends testing backups, business continuity plans and the disaster recovery plans involving cloud services. "If the cloud service provider goes down for an extended period of time, is there a well-written and tested plan for how the business will continue to operate and how cloud-based systems will be recovered?"
As the audit found, a common mistake that many organizations make is trying to leverage their internal IT teams to manage and maintain a cloud environment, Akers said. That "often means those teams are not familiar with the intricacies of managing a cloud environment."