OIG audit of hospital’s cybersecurity finds vulnerabilities in common web applications
The U.S. Department of Health and Human Services Office of the Inspector General (OIG) released a report focused on a “large Southeastern hospital” that the agency said had security vulnerabilities that could be vectors for a cyberattack. The unnamed hospital, according to the OIG, would have difficulty detecting a data breach unless its defenses were tightened.
For this audit, the OIG looked at four “internet-accessible web applications,” testing whether the hospital—formally referred to as “the Entity”—deployed cybersecurity controls that would prevent unauthorized intrusion of its network, ensure continuity of patient care in the event one occurred and ultimately protect patient data, with an emphasis on Medicare enrollees.
“The Entity is a large hospital in the Southeast United States that has more than 300 beds and offers various health services, including emergency, cardiac, neurology, maternity, and radiology services,” the OIG wrote. “The Entity is part of a network of providers that share protected health information for treatment, payment and healthcare operations, [and it] adopted the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), version 9.4, as its main cybersecurity control framework in effect at the time of our testing.”
The agency added that regulation variations and a lack of uniform cybersecurity standards across healthcare make it difficult for the federal government to monitor data security.
Consequently, the OIG emphasized that healthcare remains a prime target for attacks, given the value of PHI on the black market and the sheer number of systems connected to a hospital network that could be utilized for a data breach. In this case, it would be these unidentified web applications.
In their probe, investigators found that an account management platform had a “control weakness,” namely that multifactor authentication was not enabled. In fact, the report indicates that a mock phishing campaign deployed to test security at the Entity was able to capture credentials that would allow anyone to gain access.
The second vulnerability came in the form of another cybersecurity control weakness, this time on a portal to a database. To be more specific, the OIG said this particular application was not backed by a firewall that would be able to detect and automatically block attacks.
“As a result, the application may have been susceptible to injection attacks, including the insertion of malicious code by threat actors,” the agency wrote.
It clarified that the systems in question, which cybersecurity teams were able to exploit, did not directly protect PHI and other data on patients. However, access could allow hackers to deploy “targeted social engineering campaigns” to find further weakness in the network that could potentially lead to a full-blown data breach, such as a ransomware attack.
Dedicated to finding gaps
The OIG said the hospital, overall, had cybersecurity defenses in place that were up to par with other organizations, including system backups that could be accessed in the event primary systems were compromised. It was able to detect and prevent most of the agency's simulated attacks.
But with persistence, the “hackers” were able to find holes in defenses—something every hospital is thought to have.
In this case, the agency said it made recommendations to secure the web applications, including adding multifactor authentication and ensuring logins were bolstered with a firewall. It also recommended that regular assessments be performed to test access control procedures.
“[We suggested that the Entity utilize a wider array of security testing tools and techniques to better detect vulnerabilities in applications before updating production systems, such as dynamic application testing tools, static application testing tools, and manual, interactive testing, as part of its security testing process prior to deploying updates to internet-accessible production systems,” the agency confirmed.
The hospital was said to have agreed with all recommendations and has worked to address them.
The full report is available here.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.