Indian Health Service fails testing of IT security

The Indian Health Service (IHS) failed a penetration test of its computer network conducted last June by the Department of Health & Human Services’ Office of Inspector General.

The June 2013 test was a follow-up to an IT general controls audit of IHS’ network security controls. The audit found that such controls were inadequate, according to the OIG’s report.  

HIS officials were aware of the penetration test but incident response staff were not notified of the testing to assess the effectiveness of IHS’ intrusion detection and response controls.

“Overall, IHS needs to address cyber vulnerabilities on its computer network,” according to OIG’s test results. The audit team was able to obtain unauthorized access to an IHS web server which allowed access to the internal IHS network and obtain user account and password data including user names and passwords to HIS databases. This failure is considered high risk.

The audit team also was able to gain control of an IHS computer which allowed access to the computer’s resources, including records in the file system. This is considered medium risk.

OIG made several recommendations to IHS including fix the vulnerability on the IHS web server, implement more effective procedures to protect its computer systems from cyber attacks and periodically measure adherence to IHS security policies and procedures. Due to the sensitive nature of specific findings identified during the test, detailed technical findings were provided only to IHS.

In January, HITRUST announced plans, dubbed CyberRx, to conduct exercises to simulate cyber attacks on healthcare organizations.

Read the complete OIG report on the IHS penetration test.