Pen Testing of HHS Units Reveals Weaknesses

In a summary report issued Wednesday, the HHS Office of Inspector General highlighted several security controls that need improvement across eight HHS operating divisions. The weaknesses included configuration management, access control, data input controls and software patching, the report notes. Similar concerns have been raised in previous OIG reports.The OIG report is based on findings from a series of audits in fiscal years 2016 and 2017 at eight unnamed HHS operating divisions. Network and web application penetration testing was conducted by a third-party contractor to determine how well HHS systems were protected when subject to cyberattacks, the study notes.”Based on the findings of this audit, we have initiated a new series of audits looking for indicators of compromise on HHS and operating division systems to determine whether an active threat exists on HHS networks or whether there has been a past breach by threat actors,” OIG says.