“Why OIG Did This Review
We conducted a series of audits at eight HHS Operating Divisions (OPDIVs) using network and web application penetration testing to determine how well HHS systems were protected when subject to cyberattacks.”
“What OIG Found
On the basis of the systems we tested, we determined that security controls across the eight HHS OPDIVs needed improvement to more effectively detect and prevent certain cyberattacks. During testing, we identified vulnerabilities in configuration management, access control, data input controls, and software patching. We shared with senior-level HHS information technology management the common root causes for the vulnerabilities we identified, information regarding HHS’s cybersecurity posture, and four broad recommendations that HHS should implement across its enterprise to more effectively address these vulnerabilities. We also provided separate reports with detailed results and specific recommendations to each OPDIV after testing was completed. We will be following up with each OPDIV on the progress of implementing our recommendations.”
“What OIG Recommends and HHS’s Comments
We provided to HHS a restricted roll-up report of the results of our testing at the eight OPDIVs. The report included four broad recommendations that HHS should implement across its enterprise.”
Source: Summary Report for OIG Penetration Testing of Eight HHS Operating Division Networks – March 13, 2019. HHS OIG.