OIG audit: HHS secretary must improve cloud security controls

Strong cloud security controls are essential to maintaining and safeguarding sensitive data as cloud adoption continues to grow in healthcare. The HHS Office of Inspector General (HHS-OIG) emphasized the importance of cloud security within HHS and the broader healthcare ecosystem in its latest cybersecurity audit, published in late July.

The audit, which focused on the cloud systems of the HHS Office of the Secretary (HHS OS), revealed significant cloud security gaps and a lack of qualified security officers at the HHS secretary's office. HHS OS oversees HHS programs and leads the development and implementation of IT infrastructure across HHS.

Given the office's leading role in the department, HHS-OIG recommended that HHS OS address these gaps immediately to prevent potential data breaches. In response, HHS OS concurred with the recommendations and made plans to implement them.

The HHS OS audit was part of a series of HHS-OIG audits aimed at assessing the cybersecurity controls for cloud information systems owned, operated or maintained by HHS or its contractors. The auditors working on this series assessed whether HHS and its operating divisions had implemented effective security controls for cloud information systems in alignment with federal requirements.

HHS-OIG published the results of the first audit in the series in March 2024. The audit centered around the Administration for Children and Families (ACF) and revealed several cloud security deficiencies. OIG discovered that ACF had not accurately identified and inventoried all its cloud computing assets.

The audit of HHS OS systems yielded similar results. HHS-OIG identified 13 HHS OS cloud systems that were not documented in its inventory. The issue arose because certain HHS OS system owners did not identify some of their information systems as cloud systems in accordance with HHS requirements.

In addition, HHS-OS lacked proper procedures to verify that its cloud system inventories were accurate.

"As a result, HHS OS may not be effectively managing cybersecurity risks for all of its cloud systems," the audit report stated.

"For example, HHS OS may be unaware that a misconfigured or unpatched cloud system susceptible to a cyberattack exists in its environment because the system was not inventoried, thereby making it unlikely that the system will be scheduled for patching to reduce the risk of a cyberattack."

Auditors also found several key cloud security controls missing or not implemented as per federal standards. For example, HHS OS did not implement multifactor authentication for three privileged accounts within one cloud system.

Additionally, HHS OS did not identify or correct system flaws in a timely manner for at least 25 cloud components.

"The security control findings we identified occurred because HHS OS System Security Officers -- most often assigned by business or system owners -- do not always have the skill sets or experience necessary to adequately perform the roles and responsibilities for the job function, as defined by NIST," the audit report noted.

"Although system security officer roles and responsibilities are defined in HHS security policies, there is no standardized process for ensuring qualified System Security Officers are assigned. This adversely affects HHS OS's ability to ensure security controls are effectively implemented."

HHS-OIG issued the following recommendations to HHS OS as the result of the audit:

• Remediate the 12 security control findings per NIST SP 800-53.
• Develop an inventory procedure to ensure that cloud system inventories are accurate and complete.
• Develop a policy to ensure that qualified staff are assigned as System Security Officers for cloud systems.
• Use cloud security assessment tools to identify misconfigurations and address poor controls.

HHS OS agreed with the recommendations, all of which align with department-wide standards. Other organizations can leverage the outcome of HHS-OIG's audits to strengthen security controls within their own cloud systems.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.