A cybersecurity audit of the Department of Health and Human Services’ Office of the Secretary (HHS OS) revealed several serious gaps in the officer’s cloud security practices, giving potential cyber attackers access to sensitive data and unauthorized control.
The audit was conducted in June and July 2022 by the HHS Office of the Inspector General, which partnered with BreakPoint Labs to conduct penetration testing and phishing simulations, putting HHS OS’ cloud defenses to the test.
The audit also included a review of the HHS OS’ cloud system policies, inventories and configuration settings. The office’s cloud environments were tested for vulnerabilities and misconfigurations using network vulnerability scanner and cloud security assessment tools.
At the time of the evaluation, more than 30% of HHS’ 1,555 systems were cloud-based, according to the Office of the Inspector General. The audit report was issued last week and first made public on Monday.
HHS OS cloud security flaws exposed sensitive personal data
The HHS Office of the Secretary is the general manager of the HHS, tasked with administering and overseeing the department’s programs and activities. The HHS OS also serves as the chief policy officer of the department.
HHS OS’ cloud systems host a range of sensitive data, including legal documents and information on healthcare delivery services and emergency response, according to the Office of the Inspector General. The office’s role as both a federal government agency and manager of critical health systems makes it a valuable target for cyber threat actors.
The audit revealed that sensitive data, including personal identifiable information (PII) was exposed due to security flaws in HHS OS’ cloud environment implementations. Penetrations testers, who worked from a “black box” perspective mimicking a real-life attacker’s limited initial knowledge of the target’s cloud systems, not only gained access to this sensitive information but also managed to gain unauthorized control of the components of two of the office’s cloud systems.
“Failure to effectively implement the required security controls places HHS OS cloud systems at potentially higher risk of malicious attacks by bad actors. The vulnerabilities we found may be leveraged by adversaries who seek to steal or distort sensitive data, disrupt operations, and/or destroy the HHS OS cloud systems that support critical HHS programs,” the inspector general’s report stated.
A total of 12 specific cloud system security control gaps were identified through the audit. The most severe issue discovered, which was given a risk rating of “critical,” was the lack of multifactor authentication (MFA) for network access to three privileged accounts on one of HHS OS’ cloud systems.
The office also failed to implement access controls on three cloud storage components to ensure sensitive data was not publicly accessible, did not enforce access control policies on 27 cloud components to ensure users had the least privileges necessary, did not adequately remediate system flaws in a timely manner for 25 cloud components, and did not enforce web traffic encryption on one of its remote servers. These four high-severity issues, along with five medium and two low-severity flaws, plus the failure of the office to accurately identify and inventory 13 of its own cloud systems, undermine the security posture of the federal health agency.
On the bright side, the simulated phishing campaign revealed that security systems blocked access to targeted user accounts even when employees clicked on phishing links and attempted to enter their credentials.
The results of the first phase of the phishing simulation, which targeted 127 HHS OS employees, showed no indication that any of the emails were opened, suggesting that the office’s email filtering or other defenses blocked the delivery of the phishing emails. And while some employees in the second phase, which only targeted 19 workers, did attempt to enter their credentials, the inability to access any affected accounts resulted in no recommendations from the Office of the Inspector General regarding that specific segment of the audit.
HHS security flaws reflect ongoing risks to healthcare, government systems
The publication of these audit results come after a period relentless targeting of healthcare and government systems by cyber threat actors, particularly by ransomware groups and foreign state-backed attackers.
The spate of attacks, including the major ransomware supply chain attack on Change Healthcare that is currently under investigation by the HHS’ Office of Civil Rights, has spurred action by HHS offices to strengthen security measures at healthcare systems across the country.
For example, the department announced its new Universal PatchinG and Remediation for Autonomous Defense program (UPGRADE) in May, which will provide $50 million in funding to improve hospital defenses through new vulnerability detection and mitigation systems, and customized automated cyber defenses.
The HHS’ Health Sector Cybersecurity Coordination Center (HC3) also issued an alert in April warning of a social-engineering campaign attempting to bypass MFA protections for hospital employee accounts.
Sophos State of Ransomware Report 2024 revealed that healthcare remains one of the most heavily targeted sector for ransomware attacks, with the proportion of affected organizations rising year-over-year from 60% in 2023 to 67% in 2024.
Financially motivated attackers have also launched several attacks against local, state and federal government agencies over the past year, including in an email hijacking attack against HHS’ Health Resources and Services Administration between March and November 2023 that resulted in the theft of $7.5 million.
A major ransomware attack against Los Angeles County last week, which resulted in the shutdown of 36 local court offices, is one of the most recent examples of ransomware attacks targeting government systems. And federal agencies are far from immune, with a White House report published last month finding a 9.9% increase in cybersecurity incidence affecting the federal government between 2022 and 2023.
Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported the results of a 2023 red-teaming exercise that mimicked the tactics of nation-state threat actors to test the security of a civilian executive branch agency. Like the HHS audit, the exercised revealed numerous security shortcomings that could have devastating impacts on critical government systems.
The HHS Office of the Inspector General made several recommendations to remediate flaws at the HHS OS, which include developing a procedure to improve the accuracy and completion of cloud system inventories, remediating the 12 security control issues identified in the report, leveraging cloud security assessment tools to identify and remediate misconfigurations and implementing policies to ensure that only qualified staff are assigned as cloud system security officers.
