OIG audit of hospitals cybersecurity finds vulnerabilities in common web applications

pThe US Department of Health and Human Services Office of the Inspector General OIG released a report focused on a large Southeastern hospital that the agency said had security vulnerabilities that could be vectors for a cyberattack The unnamed hospital according to the OIG would have difficulty detecting a data breach unless its defenses were tightened ppFor this audit the OIG looked at four internetaccessible web applications testing whether the hospitalformally referred to as the Entitydeployed cybersecurity controls that would prevent unauthorized intrusion of its network ensure continuity of patient care in the event one occurred and ultimately protect patient data with an emphasis on Medicare enrollees ppThe Entity is a large hospital in the Southeast United States that has more than 300 beds and offers various health services including emergency cardiac neurology maternity and radiology services the OIG wrote The Entity is part of a network of providers that share protected health information for treatment payment and healthcare operations and it adopted the Health Information Trust Alliance HITRUST Common Security Framework CSF version 94 as its main cybersecurity control framework in effect at the time of our testingppThe agency added that regulation variations and a lack of uniform cybersecurity standards across healthcare make it difficult for the federal government to monitor data security ppConsequently the OIG emphasized that healthcare remains a prime target for attacks given the value of PHI on the black market and the sheer number of systems connected to a hospital network that could be utilized for a data breach In this case it would be these unidentified web applications ppIn their probe investigators found that an account management platform had a control weakness namely that multifactor authentication was not enabled In fact the report indicates that a mock phishing campaign deployed to test security at the Entity was able to capture credentials that would allow anyone to gain access ppThe second vulnerability came in the form of another cybersecurity control weakness this time on a portal to a database To be more specific the OIG said this particular application was not backed by a firewall that would be able to detect and automatically block attacks ppAs a result the application may have been susceptible to injection attacks including the insertion of malicious code by threat actors the agency wrote ppIt clarified that the systems in question which cybersecurity teams were able to exploit did not directly protect PHI and other data on patients However access could allow hackers to deploy targeted social engineering campaigns to find further weakness in the network that could potentially lead to a fullblown data breach such as a ransomware attack ppThe OIG said the hospital overall had cybersecurity defenses in place that were up to par with other organizations including system backups that could be accessed in the event primary systems were compromised It was able to detect and prevent most of the agencys simulated attacks ppBut with persistence the hackers were able to find holes in defensessomething every hospital is thought to have ppIn this case the agency said it made recommendations to secure the web applications including adding multifactor authentication and ensuring logins were bolstered with a firewall It also recommended that regular assessments be performed to test access control procedures ppWe suggested that the Entity utilize a wider array of security testing tools and techniques to better detect vulnerabilities in applications before updating production systems such as dynamic application testing tools static application testing tools and manual interactive testing as part of its security testing process prior to deploying updates to internetaccessible production systems the agency confirmed ppThe hospital was said to have agreed with all recommendations and has worked to address them ppThe full report is available here ppChad is an awardwinning writer and editor with over 15 years of experience working in media He has a decadelong professional background in healthcare working as a writer and in public relationspp ppppDespite the dangers associated with the condition its presence can often evade detection during pregnancyp