Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

HHS Operating Division Needs to Improve Security Controls to More Effectively Prevent Cyberattacks

Issued on  | Posted on  | Report number: A-18-18-08400

Report Materials

Why OIG Did This Audit

This audit is one in a series of OIG audits using network and web application penetration testing to determine how well these information technology (IT) systems are protected against cyberattacks. As part of this body of work, we conducted a test of the Centers for Medicare & Medicaid Services’ (CMS) Affordable Care Act (ACA) information systems.

Our objectives were to determine whether security controls for CMS’s ACA information systems were effective in preventing certain cyberattacks, the likely level of sophistication an attacker needs to compromise CMS’s systems or data, and CMS’s ability to detect attacks and respond appropriately.

How OIG Did This Audit

To complete penetration testing of CMS’s ACA information systems, we contracted with Accenture Federal Services to provide knowledgeable subject-matter experts to conduct penetration testing on behalf of OIG. In accordance with the HHS OIG Penetration Testing and Reporting Guidelines, the testing methodology was divided into three main categories—discovery, vulnerability analysis, and exploitation. We performed the testing in accordance with the agreed-upon Rules of Engagement document.

What OIG Found

Overall, we determined that most security controls in place for CMS’s ACA information systems were operating effectively, but some controls needed further improvement to more adequately prevent certain cyberattacks. We identified a total of 18 vulnerabilities, of which, 2 were classified as “Critical,” 9 were classified as “High,” and 7 were classified as “Medium.”

Of the 18 vulnerabilities discovered, 2 critical vulnerabilities were identified that could potentially present a risk to CMS’s ACA data. We determined that the likely level of sophistication needed to exploit and compromise CMS’s ACA information systems was medium, as most of the attacks did not require significant technical knowledge to exploit the vulnerabilities; however, there were some security controls in place to delay or prevent our attacks. Finally, we determined that CMS’s IT security controls were somewhat effective at detecting and responding appropriately to our cyberattacks. This was largely attributed to the use of a security appliance that identified and appropriately stopped a subset of our initial attacks against certain CMS ACA web applications.

What OIG Recommends and HHS OS Comments

We made a series of recommendations for HHS OS to improve IT security controls in accordance with Federal requirements and address the vulnerabilities identified in our report.

In written comments to our draft report, CMS concurred with eight recommendations and did not concur with two recommendations. CMS also provided technical comments, which we addressed as appropriate.

We maintain that our findings and recommendations are accurate and valid.

Report Type
Audit
HHS Agencies
Centers for Medicare and Medicaid Services
Issue Areas
-
Target Groups
-
Financial Groups
-

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.