Indian Health Service Systems Hacked in Test
Security vulnerabilities of the Indian Health Service need addressing after an external penetration test of its computer network was able to gain unauthorized access, a Health and Human Services Office of Inspector General report concludes.
Security vulnerabilities of the Indian Health Service need addressing after an external penetration test of its computer network was able to gain unauthorized access, a Health and Human Services Office of Inspector General report concludes.
IHS, which consists of 28 hospitals, 61 health centers and 34 health stations, provides health services directly through tribally contracted and operated health programs and through services purchased from private providers. In June 2013, OIG tested the effectiveness of IHSs network security controls and was able to obtain unauthorized access to an IHS Web server and an IHS computer.
"Due to the sensitive nature of the specific findings identified during our testing, only a summary of the findings are included in this report," said OIG.
Auditors were able to gain unauthorized access to an IHS Web server, which allowed them to access the internal IHS network and obtain user account and password data on the system, including user names and passwords to IHS databases. The vulnerability was deemed "high risk" in the report, meaning "there is a strong need for corrective measures" though "existing systems may continue to operate, but a corrective action plan must be put in place as soon as possible."
In addition, testers were able to take control of an IHS computer, which allowed access to the computers resources, including records in the file system. This "medium risk" calls for corrective actions "within a reasonable period of time," stated the report.
OIG further recommends that IHS implement more effective procedures to protect its computer systems from cyber attacks, and periodically measure adherence to IHS security policies and procedures. The report is available here.
IHS, which consists of 28 hospitals, 61 health centers and 34 health stations, provides health services directly through tribally contracted and operated health programs and through services purchased from private providers. In June 2013, OIG tested the effectiveness of IHSs network security controls and was able to obtain unauthorized access to an IHS Web server and an IHS computer.
"Due to the sensitive nature of the specific findings identified during our testing, only a summary of the findings are included in this report," said OIG.
Auditors were able to gain unauthorized access to an IHS Web server, which allowed them to access the internal IHS network and obtain user account and password data on the system, including user names and passwords to IHS databases. The vulnerability was deemed "high risk" in the report, meaning "there is a strong need for corrective measures" though "existing systems may continue to operate, but a corrective action plan must be put in place as soon as possible."
In addition, testers were able to take control of an IHS computer, which allowed access to the computers resources, including records in the file system. This "medium risk" calls for corrective actions "within a reasonable period of time," stated the report.
OIG further recommends that IHS implement more effective procedures to protect its computer systems from cyber attacks, and periodically measure adherence to IHS security policies and procedures. The report is available here.
More for you
Loading data for hdm_tax_topic #reducing-cost...