From: HealthITSecurity
Author Name Patrick Ouellette
In response to the high volume of attempts to hack into and compromise sensitive data within government systems, such as the Veteran’s Administration, the Office for Inspector General (OIG) has made strong efforts to determine whether federal entities’ security controls are effective. OIG conducted penetration test of the Indian Health Services (IHS) computer network last summer and found addressable cyber vulnerabilities on the network.
The June 10-14, 2013 IHS penetration test sought out to decide to what extent the IHS network systems were subject to compromise through cyber attacks. IHS is one of 12 HHS operating divisions, made up of 28 hospitals, 61 health centers, and 34 health stations, and provides health services directly through tribally contracted and operated health programs and through services purchased from private providers. OIG planned the penetration test because of the results from a 2011 IHS general IT controls audit, which concluded that IHS’s network security controls were insufficient. From OIG’s perspective, beyond the threats of fraud and false claims, among the bigger concerns would be that unauthorized individuals could gain access to the Department of Health and Human Services (HHS) network.
OIG assigned risk levels (High, Medium, Low) to its findings through use of Table 3-7 in “Risk Scale and Necessary Actions,” of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. OIG’s audit methodology included:
Leave a Reply