How HHS-OIG conducts cybersecurity audits

How OIG chooses audit subjects

In general, OIG audits follow standards federal government auditing standards, including three stages: planning, fieldwork, and reporting.

“At HHS, our planning first involved conducting research and gathering information. We went to various sources, such as OMB directives that had been issued, and the Cybersecurity and Infrastructure Agency, to see any guidelines that have been issued to federal agencies,” Patterson said.

“We also looked at any ongoing IT initiatives from the department. We take into account information on the latest cyberattacks and techniques that hackers are using to attack government systems as well as applicable federal government criteria, any guidelines and industry best practices. And all of this is to help us decide where we should focus our audit efforts.”

Using that information, the audit team determined that cloud computing was a key cybersecurity risk that could hamper HHS’ ability to perform its mission. As a result, OIG’s ongoing series of audits focuses on the security of cloud information systems.

“As a part of this series of audits, we analyzed previous cybersecurity audit reports for any significant cybersecurity findings that were identified,” Patterson added.

“We utilized data from previous mandated audit works, such as our annual FISMA audit, in which we performed an assessment of HHS' information security program, and we utilized that data to consider any OpDiv that has been migrating a significant number of systems to the cloud.”

This process led OIG to ACF. After obtaining approval from senior leadership to conduct this series of audits, OIG notified ACF of the audit, explained the criteria and scope, and provided a timeline for completion.

Performing the audit

The ACF audit consisted of a review of ACF’s cloud inventory as well as its cloud security policies and procedures. The audit also included penetration tests of cloud systems and simulated phishing campaigns that enlisted the help of ACF personnel.

“Since this audit involved completing a penetration test of selected cloud systems, we also had to establish a set of rules and expectations with the opt-in for conducting a penetration test, known as the rules of engagement,” Patterson explained.

“Once we established this, we completed the audit fieldwork phase, which involved reviewing OpDiv policies and procedures relating to maintaining an accurate inventory of cloud information systems and other key information security controls such as configuration management controls that are required to be implemented for cloud systems by HHS OpDivs in accordance with NIST standards.”

The audit also incorporated interviews with system owners and personnel who manage the security operations of the cloud systems. The penetration tests revealed vulnerabilities, which OIG relayed to ACF to remediate and identify potential solutions.

Next, OIG reported the results of the audit to ACF and communicated the results to the audit team and other key stakeholders. Finally, the report was published to the public on the OIG website, where it could be used to inform security activities for other entities.

Key takeaways for HHS entities, healthcare organizations

OIG’s audit of ACF revealed several cloud security deficiencies. OIG found that ACF had not accurately identified and inventoried all its cloud computing assets and had not effectively implemented other security controls to protect its cloud information systems.

The audit also revealed gaps in cloud and web application technical testing techniques, resulting in a higher risk of system compromise. OIG recommended that ACF improve its security controls, remediate vulnerabilities, and use cloud security assessment tools to identify weak controls. ACF concurred with the recommendations and took action to address them.

While the audit results were specific to ACF, Patterson explained that the recommendations given are applicable to all entities.

“HHS entities, we believe, should evaluate the default system settings for all cloud services in use to determine if they're secured in accordance with government requirements or industry benchmarks,” Patterson stated.

“As we recommended to ACF in our report, they can leverage cloud security assessment tools to identify misconfigurations and control deficiencies that they may be unaware of.”

Patterson stressed the importance of employing cloud security best practices, such as ensuring that security assessments of cloud systems include the emulation of common adversary tactics to mimic scenarios and identify gaps.

The ACF audit was the first in a series of audits that Patterson’s team is conducting. Patterson expressed optimism that future audits will continue to reveal common cloud security gaps that HHS entities and healthcare organizations can address.

“We hope that HHS, as well as our stakeholders and others, gain some benefit from the cybersecurity audit work we conduct. Many of the cybersecurity risks we identified may also exist in other organizations, particularly in the healthcare sector,” Patterson added.

“We believe that the recommendations we made in our report to ACF would not only help them to strengthen the security controls for their cloud systems, but specifically would also help the department overall to strengthen security controls for their cloud systems.”