OIG finds security flaws in wireless networks at federal health service data centers

Security holes that could lead to “unauthorized access” to personally identifiable information is not something you want to hear in regards to the wireless networks of a federal agency tasked with collecting and storing financial and healthcare information. Yet a recent Office of Inspector General (OIG) report said it found vulnerabilities in the wireless networks of Centers for Medicare & Medicaid Services (CMS). If exploited, they could lead to unauthorized access and even “disruption of critical operations.”

The OIG at the Department of Health and Human Services (HHS) conducted a wireless penetration test on 13 CMS data centers and facilities. CMS, an agency within HHS, administers federal healthcare programs such as Medicare, Medicaid and the Children’s Health Insurance Program. The agency collects, generates and stores financial and healthcare information.

The pen tests, conducted between Aug. 31, 2015, and Dec. 4, 2015, “simulated” wireless cyber attacks using the same tools and techniques attackers would use to gain unauthorized access to wireless networks and sensitive data.

While the wireless penetration test report (pdf) is short on specifics, the OIG said it found “four vulnerabilities in security controls over its wireless networks.” The OIG did not find evidence that the security holes were exploited, but it called the vulnerabilities “significant.” CMS laid the blame on “improper configurations and failure to complete necessary upgrades.”

The OIG’s findings state:

Although the Centers for Medicare & Medicaid Services had security controls that were effective in preventing certain types of wireless cyber attacks, we identified four vulnerabilities in security controls over its wireless networks.

According to CMS, these vulnerabilities existed because of improper configurations and failure to complete necessary upgrades that CMS previously identified and reported as having been currently underway.

The vulnerabilities that we identified were collectively and, in some cases, individually significant. Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of personally identifiable information, as well as disruption of critical operations. In addition, exploitation could have compromised the confidentiality, integrity, and availability of CMS’s data and systems. We promptly shared detailed information with CMS about our preliminary findings in advance of issuing our draft report.

The OIG recommended improved security controls to close the wireless network holes.

Andrew Slavitt, acting administrator at CMS, “appreciated” the chance to comment on the OIG’s wireless pen test of CMS data centers and offsite facilities. He reiterated the fact that the OIG “found no evidence of unauthorized access to or disclosure of personally identifiable information” and no evidence that critical operations had been disrupted.

Slavitt noted several CMS procedures and policies used to nip cyber threats in the bud, including security tech to protect the CMS network and laptops from rogue wireless access points. He also mentioned a dedicated information security staff. Combined, “CMS protects security and privacy of data.”

Although there were scant details, Slavitt wrote:

The CMS Employee Wireless network requires two-factor authentication; the internal network can then only be accessed through a virtual private network (VPN) over the wireless connection. The Guest Wireless Network, which provides only public Internet access at CMS buildings, is isolated from the internal network and the CMS Employee Wireless network. Both wireless networks are continuously monitored and automatically block threats using a security prevention technology.

CMS acknowledged the risks, concurred with the OIG findings, and said it has either already addressed the issues or is in the process of addressing the remaining security problems.