The U.S. Department of Health and Human Services Office of Inspector General identified web application security problems at a large U.S. hospital that could potentially allow threat actors to gain initial systems access, thus recommending improvements on certain security controls to enhance its ability to prevent and detect cyberattacks.
Audit Findings
The U.S. Department of Health and Human Services Office of Inspector General conducted an audit of a large Southeastern hospital’s information technology security controls. The audit focused on web application security and other technical safeguards intended to protect electronic information systems, ensuring the continuity of patient care in the event of a cyberattack, and the implementation of sufficient measures to keep Medicare enrollee information secure.
The audited hospital (unnamed for security reasons) is a member of a network of healthcare providers who share access to patients’ protected health information (PHI) for the purpose of treatment, billing, and healthcare procedures. The hospital uses the cybersecurity framework HITRUST Common Security Framework (CSF) version 9.4 and had implemented the physical, administrative, and technical safety measures required by the HIPAA Laws.
HHS-OIG conducted simulated cyberattacks to test the vulnerability of the hospital’s internet-facing applications. The cybersecurity controls identified the majority of the simulated cyberattacks, but some weaknesses made it possible for the HHS-OIG to get login credentials and use them to take control of the account management web application.
Out of the 2,171 phishing emails sent, only the last 500 were blocked. 6% of users clicked the link in the phishing email, and one user inputted the login information in the phishing website. HHS-OUG used the captured login credentials to access the web application and potentially do other things like deactivate multifactor authentication and add/delete devices from the system.
The audit confirmed the need to improve certain security controls to strengthen the hospital’s ability to prevent and detect cyberattacks.
Recommendations for Security Control Improvements
HHS-OIG recommended that the hospital improve the following areas:
- Use strong user ID/password and authentication settings to manage the account web application
- Regularly check and update user ID and authentication controls throughout all systems
- Evaluate all web programs to find out if an automated technical solution, for example, a web application firewall, is necessary
- Use different testing tools for identifying weaknesses in applications, for instance, manual, interactive testing, dynamic and static application testing tools.
Broader Cybersecurity Implications
The Office of Inspector General report emphasized the need for stronger cybersecurity across the health sector. The findings reflect concerns regarding web application security and other technical safeguards within healthcare providers.
- Performing a thorough inventory of all SaaS and web programs helps to see the complete picture of an organization’s attack surface
- MFA implementation on applications is a priority expecially those with privileged access or sensitive information
- Using SSO solutions that can impose MFA centrally while enhancing user experience and minimizing password-related security threats
- Using conditional access guidelines, such as requiring MFA for any access from external entities or from unmanaged gadgets
- Routine test authentication controls by conducting phishing simulations and penetration testing
Image credits: CreativeIMGIdeas, Adobestock / logo©HHS
