Privacy & Security

OIG finds 'significant' security flaws in CMS' wireless networks

While CMS has 'effective' security controls to prevent some cyberattacks, according to OIG penetration tests, there are four vulnerabilities that could lead to exploitation.
By Jessica Davis
August 24, 2016
10:44 AM

The wireless networks of the Centers for Medicare and Medicaid Services have "significant" vulnerabilities, according to penetration tests administered by the Office of Inspector General.

OIG administered penetration tests to 13 CMS data centers and facilities from Aug. 31, 2015, to Dec. 4, 2015, during which, it simulated certain wireless cyberattacks with tools and techniques commonly used by cybercriminals.

While CMS had "effective" security controls that could prevent certain types of certain wireless cyberattacks, according to the report, OIG discovered four vulnerabilities in its wireless network security controls.

There was no evidence these vulnerabilities were exploited, according to the report. However, exploitation would have led to unauthorized access, disclosure of personally identifiable information, disruption of critical operations and could have compromised the integrity of CMS data and systems.

"We recommended that CMS improve its security controls to address the wireless network vulnerabilities we identified," said OIG officials in the report. "When implemented, these recommendations should further strengthen the information security of CMS's wireless networks.

[Also: 4 security controls OIG will focus on in 2016]

"The assumption of risk is part of the security control process and each U.S. Department of Health and Human Services operating division has the authority to make risk-based decisions," they added. "The justification of risk acceptance must be documented and should be certified by the appropriate operating division management."

The agency didn't reveal the specific vulnerabilities or its recommendations due to the sensitive nature of the findings.

CMS was notified of the specific details found by OIG and concurred with the findings, according to the report. Several of the security issues have been addressed by CMS. Further, CMS accepted the risk of some vulnerabilities.

"CMS acknowledges that risks exist inherently for every IT system and that as technology progresses, additional safeguards will be needed," CMS Acting Administrator Andy Slavitt said in response to OIG.

"Through the enforcement of documented policies and procedures, as well as dedicated information security staff, CMS protects the security and privacy of data," he added. "CMS appreciates the OIG's suggestion of controls and processes that could be improved to further reduce or mitigate risk."

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn

Topics: 
Compliance & Legal, Government & Policy, Privacy & Security

More regional news

Capitol rotunda at sunset

Congress releases AI policy blueprint

By
Andrea Fox
December 20, 2024
Epic booth at HIMSS global conference

Epic files to dismiss antitrust lawsuit

By
Andrea Fox
December 20, 2024
Representatives of NUS Medicine, Kailuan General Hospital, Tianjin Medical University, and Tianjin Medical University General Hospital pose after signing their MOU

Chinese hospitals join NUS Medicine's big health data project

By
Adam Ang
December 19, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Capitol rotunda at sunset
Congress releases AI policy blueprint

Most Read

Aidoc, NVIDIA intro new plan to speed AI adoption in healthcare
Winning cybersecurity warfare is the ultimate millstone for CISOs
A passwordless future for clinicians? Industry paper points to a new paradigm
White House OMB is reviewing proposed cybersecurity updates to HIPAA
NHS to roll out radiology AI across 10 health trusts
Oracle Health to apply for QHIN status

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

John Saran at Holland & Knight_Modern office buildings in London Photo by Tim Grist Photography/Moment/Getty Images
PE and healthcare investment: What's next for 2025
Sponsored by
Healthcare worker talking to patient
New infusion pumps may help lighten nurses’ workload
Dr Chien-Tzung Chen 4t Linkou Chang Gung Memorial Hospital_HIMSS24 APAC
Linkou Chang Gung Memorial Hospital eyes remote patient monitoring at home
Dan Torrens at eHealth Technologies_Blockchain in healthcare concept Photo by ArtemisDiana/iStock/Getty Images Plus
Getting providers from point A to B

More Stories

Dr. Eric Liederman, CEO of CybersolutionsMD
Q&A: CybersolutionsMD CEO on preventing cyberattacks
Change healthcare booth
Nebraska sues Change Healthcare over ransomware attack
Vijayashree Natarajan of Omega Healthcare on AI
Three for 2025: data security, cancer informatics and agentic AI
Capitol Hill
Congress looks set to extend telehealth and hospital-at-home flexibilities
Josh Di Frances at LG NOVA_Top down view of startup team Photo by NanoStockk/iStock/Getty Images Plus
What a startup pitch competition shows about IT innovation
Ravi Teja Karri of Froedtert Health on AI
Using AI and ML in predictive analytics for bed demand forecasting
Abstract image of AI brain and technology
ASTP updates HHS AI Use Case Inventory for 2024
Female doctor on laptop smiles at patient in foreground who is taking notes
Report shows overwhelming doctor support for virtual care