A US government wireless penetration test of 13 data centers operated by the Centers for Medicare and Medicaid Services identified several vulnerabilities in network security controls.

Investigators at the Department of Health and Human Services’ Office of Inspector General called some of the vulnerabilities “significant,” but said that there was no evidence of any malicious forces taking advantage of the security holes. CMS agreed with the findings and said it had already addressed several of the issues.

Department of Health & Human Services, the federal body in charge of CMS
Department of Health & Human Services – Wikimedia Commons/Sarah Stierch

Health check

The OIG said in a report: “Although the Centers for Medicare & Medicaid Services had security controls that were effective in preventing certain types of wireless cyber-attacks, we identified four vulnerabilities in security controls over its wireless networks.”

It continued: “Our test simulated certain wireless cyber-attacks using tools and techniques commonly used by attackers to gain unauthorized access to wireless networks and sensitive data.

“According to CMS, these vulnerabilities existed because of improper configurations and failure to complete necessary upgrades that CMS previously identified and reported as having been currently underway.”

Adding: “The vulnerabilities that we identified were collectively and, in some cases, individually significant. Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of personally identifiable information, as well as disruption of critical operations.

“In addition, exploitation could have compromised the confidentiality, integrity, and availability of CMS’s data and systems.”

The attack was conducted from August 31, 2015, to December 4, 2015, but has only now been made public.

The exact nature of the security failings were of course not disclosed, but were provided to CMS separately. OIG said: “When implemented, these recommendations should further strengthen the information security of CMS’s wireless networks.”

Andrew Slavitt, Acting Administrator for CMS, commented: “CMS acknowledges that risks exist inherently for every IT system and that as technology progresses, additional safeguards will be needed. Through the enforcement of documented policies and procedures, as well as dedicated information security staff, CMS protects the security and privacy of data.

“CMS appreciates the OIG’s suggestion of controls and processes that could be improved to further reduce or mitigate risk. CMS concurred with all of the OIG findings and has already addressed several of the findings and is in the process of addressing the remaining findings.”