Hospital system fails mock cyberattack
The 28-hospital Indian Health Service has failed a mock cyberattack conducted by the Office of Inspector General after its computer network was discovered to have "high risk" vulnerabilities.
This test was the first in a series of OIG audits to be conducted on the U.S. Department of Health and Human Services and its operating division's networks.
[See also: Cyberattack alerts coming to healthcare.]
Back in June, OIG conducted the hacking test on Indian Health Service's information systems and computer network, requesting that IHS response staff not be notified of the testing to better gauge employee response. Subsequently, the agency was able to obtain unauthorized access to an IHS Web server and one of its computers, according to a recent OIG report.
"We were able to gain unauthorized access to an IHS Web server, which allowed us to access the internal IHS network and obtain user account and password data on the system, including user names and passwords to IHS databases," OIG officials said, a vulnerability which they identified as being high-risk.
Agency officials were also able to access a computer's resources, including IHS system files, which they identified as medium risk.
This mock attack comes on the heels of a 2011 audit performed on IHS' network security which found its security controls to be "inadequate."
"The security vulnerabilities identified presented an increased risk that unauthorized individuals could gain access to the IHS network and potentially to the U.S. Department of Health and Human Services network," the report read.
OIG has put forth six recommendations for IHS to get their systemss security back on track.
In addition to 22 hospitals, IHS also manages 61 health centers and 31 health stations.
As a supplement to OIG audits, other mock cyberattacks have already come to the healthcare industry. Earlier this year, HHS teamed up with HITRUST to launch an industry-wide effort to simulate cyberattacks on healthcare entities.
The results will be used to evaluate industry response and threat preparedness against attacks and attempts to disrupt healthcare operations. The initiative will also gauge HHS' level of coordination and response time to industry events.
[See also: Hackers swipe health data of 405K.]
Twelve organizations are slated to participate in the initiative, which kicks off this month, including Children's Medical Center Dallas, CVS Caremark, Express Scripts, Health Care Service Corp., Highmark, Humana, UnitedHealth Group and WellPoint.