3 min read

HHS-OIG: Improving cloud security controls

HHS-OIG: Improving cloud security controls

Cloud computing is now a fundamental aspect of modern business operations, making the security and protection of cloud-based systems more necessary than ever, especially for government agencies like the Department of Health and Human Services (HHS). However, a recent audit by the HHS Office of Inspector General (HHS-OIG) has uncovered gaps in HHS's cloud security controls, prompting a call for immediate action to address these vulnerabilities.

 

Incomplete cloud system inventory

The HHS-OIG report noted a lack of documented procedures for verifying the accuracy and completeness of cloud system inventory. System owners and System Security Officers within the HHS OS failed to properly identify some of their information systems as cloud-based, leading to their exclusion from the official inventory.

Without a complete inventory of cloud systems, the HHS OS may be unaware of misconfigured cloud systems or vulnerabilities, leaving this data and infrastructure at an increased risk of compromise. Limited visibility into the full scope of the cloud environment can have serious consequences, as cybercriminals may exploit these blind spots to gain unauthorized access or disrupt services.

Read also: A guide to HIPAA and cloud computing 

 

Inadequate security control implementation

The HHS-OIG audit also revealed that while the HHS OS had implemented some security controls, several controls were incorrect. Control failures were further exacerbated by the HHS-OIG's ability to successfully conduct simulated cyberattacks, exploiting vulnerabilities and gaining unauthorized access to sensitive data and system components.

 

Lack of multifactor authentication

One of the most concerning security control failures was the lack of multifactor authentication (MFA) for network access on several privileged accounts for a cloud system. MFA is a fundamental security best practice that adds an extra layer of protection to safeguard against unauthorized access, and its absence in this case represents a major vulnerability.

 

Failure to implement access controls

The audit also identified issues with access controls on cloud storage components, where sensitive data was left publicly accessible. Additionally, the HHS OS failed to enforce access control policies on 27 cloud components, exposing sensitive information to potential compromise.

 

Untimely vulnerability remediation

The HHS-OIG report noted that system flaws were not accurately identified, reported, or corrected promptly for cloud components. This delay in addressing known vulnerabilities leaves the HHS cloud environment susceptible to exploitation by threat actors, potentially leading to data breaches or service disruptions.

 

Lack of encryption enforcement

Another security control failure was the HHS OS's inability to enforce web traffic encryption on a remote server. Unencrypted web traffic can allow attackers to intercept and potentially tamper with sensitive data as it traverses the network, compromising the confidentiality and integrity of the information.

 

Insufficient expertise among system security officers

The HHS-OIG audit attributed the security control issues, in part, to the appointment of HHS OS System Security Officers who did not have the necessary skills or training. While the roles and responsibilities were clear, there was no standardized process for ensuring that qualified staff were assigned to these critical positions.

Effective cloud security management requires specialized skills and expertise, including a deep understanding of cloud architecture, security controls, and compliance requirements. Without these competencies, System Security Officers may struggle to properly implement and maintain the necessary safeguards, leaving the HHS cloud environment vulnerable to threats.

 

Recommendations for improvement

The HHS-OIG audit provided several recommendations to address the identified vulnerabilities and strengthen the HHS's cloud security posture:

  • Develop procedures for maintaining accurate inventories: Establish clear processes to ensure that complete and accurate inventories of cloud systems are created and maintained.
  • Address control findings: Promptly address all the security control findings identified in the audit, including multifactor authentication, access controls, vulnerability remediation, and encryption enforcement.
  • Implement policies for qualified personnel: Develop and implement policies and processes to ensure only skilled individuals are appointed as system security officers, with a standardized process for verifying their competence.
  • Continuous monitoring and improvement: Establish ongoing monitoring and review mechanisms to ensure that cloud security controls remain effective and that any new vulnerabilities or compliance issues are promptly identified and addressed.

Related: Ontology for HIPAA compliant cloud services 

 

FAQs

What are cloud information systems and how do they relate to healthcare security? 

Cloud information systems refer to cloud computing services that store, manage, and process data over the Internet instead of on local servers. In healthcare, cloud information systems can store and manage protected health information (PHI), offering scalability, flexibility, and cost savings. 

 

Why are cloud information systems beneficial for HIPAA compliance? 

Cloud information systems are beneficial because they can enhance data accessibility and efficiency while reducing costs. However, they must be configured and managed to ensure the security and privacy of PHI. 

 

What are the potential risks associated with using cloud information systems under HIPAA? 

  • Data breaches: Increased exposure of ePHI to unauthorized access if cloud security measures are not properly implemented.
  • Non-compliance penalties: Significant fines and legal consequences for failing to protect ePHI in the cloud.
  • Financial losses: Costs related to breach remediation, legal fees, and potential settlements with affected individuals.
  • Reputational damage: Loss of trust from patients, stakeholders, and the public due to the organization’s failure to secure sensitive information.
  • Operational impact: Increased risk of disruptions to healthcare services and administrative functions due to compromised data security in the cloud.

Learn more: HIPAA Compliant Email: The Definitive Guide