Lessons from Strengths, Weaknesses of HHS Security ControlsReports Cite Robust Use of Multifactor Authentication, Shortcomings in Wireless Security
The Department of Health and Human Services offers a model for applying multifactor authentication for privileged users, a new report illustrates. On the other hand, a second report shows HHS, like many healthcare organizations, is struggling to manage wireless security vulnerabilities.
The HHS Office of Inspector General issued the two reports.
In its new report on HHS' general security practices, OIG notes that all but seven of the agency's 558 systems, or 99 percent, require multifactor authentication for access by privileged users for a variety of reasons.
"This percentage is much higher than what we see in the private sector," says Mac McMillan, CEO of the security consulting firm CynergisTek and a former defense department information security director. Multifactor authentication is an effective security measure, he says, because it makes it much more difficult for hackers to misuse privileged accounts.
Security Management Practices
The report, HHS Security Management Practices for Computer Systems With Access to Personally Identifiable Information, notes that HHS requires two-factor authentication - personal identity verification and personal identification number - for privileged users to gain network-level access.
"This form of multifactor authentication is primarily controlled through the Active Directory [through] single sign-on," the report notes. "Once a user's PIV and PIN are authenticated, some HHS systems do not require additional verification. Other systems require additional authentication, such as user names and passwords and PIV cards with a PIN; user names and passwords and RSA tokens; and user names and passwords and PIV cards with a PIN and additional alternate logon tokens or smart cards."
The report also points out that HHS uses the following logical access controls:
- Requiring privileged users to have a separate user account;
- Following the principles of least privilege;
- Monitoring the use of information system accounts;
- Reviewing all user accounts annually;
- Disabling all inactive user accounts after 60 days of nonuse;
- Establishing, administering and monitoring privileged user accounts in accordance with a role-based access scheme;
- Restricting privileged accounts to personnel or roles as specified by the operating division.
OIG says that HHS and its operating divisions report that they have "implemented logical access controls on all covered systems, and all users, including privileged users, are subject to them."
Private Sector Challenges
Unlike HHS, private sector healthcare entities and their business associates "are hampered by the fact that ... their requirements for access control are not nearly as well spelled out, which at times makes it difficult for them to get support or budget for such measures," McMillan says.
To bolster security of privileged access accounts further, McMillan suggests HHS as well as private sector organizations consider moving to "non-persistent privileged accounts, meaning utilizing a vaulting technology solution to eliminate privileged accounts altogether except when they are needed."
Dan Berger, CEO of security consulting firm Redspin, notes that logical access controls are foundational elements of effective IT security and risk management. "But what we've seen in many recent breaches are accounts of privileged users compromised through sophisticated phishing attacks," he says. "Multifactor authentication provides an extra layer of protection against such attacks."
Nevertheless, many healthcare organizations have been slow to adopt multifactor authentication, he says, because "users tend to dislike such controls since they can be cumbersome. The challenge facing CEs and BAs when it comes to ePHI is almost always a trade-off between facilitating access and the need for security."
Preventing Wireless Cyberattacks
The second HHS OIG report found areas where HHS' Centers for Medicare and Medicaid Services is weak in protecting its wireless networks. And McMillan says the general weaknesses described are also typical challenges for private healthcare sector entities.
"Many of our medical devices and applications are accessed/communicate over a wireless network," he says. "Securing these pathways into the enterprise is just as important as securing any other. ... The problem is, like we see here with CMS, organizations don't always do what they know they should."
The report, Wireless Penetration Test of the Centers for Medicare and Medicaid Services' Data Centers, was based on penetration tests of selected CMS data centers and employee and contractor facilities conducted last year.
"The increased use of wireless technology has introduced several new security risks to the computing environment that can compromise sensitive information, including eavesdropping, unauthorized access points, and signal leakage," OIG notes. "To minimize these risks, federal agencies must implement the security controls necessary to ensure that sensitive information processed on its wireless networks and devices is protected."
In the report, OIG says it found that "although CMS had security controls that were effective in preventing certain types of wireless cyberattacks, we identified four vulnerabilities in security controls over its wireless networks." But the report does not detail the vulnerabilities, which it portrays as significant, due to the "sensitive nature of the information."
OIG notes in the report, however: "According to CMS, these vulnerabilities existed because of improper configurations and failure to complete necessary upgrades that CMS previously identified and reported as having been currently underway."
OIG notes that although it did not identify evidence that the vulnerabilities had been exploited, "exploitation could have resulted in unauthorized access to and disclosure of personally identifiable information, as well as disruption of critical operations. In addition, exploitation could have compromised the confidentiality, integrity and availability of CMS' data and systems."
Berger notes that wireless local area networks "are basically susceptible to two types of vulnerabilities - poor configuration and poor encryption. Both can and should be tested through a wireless penetration test. Preventing the hacking of wireless access points is not a major challenge to prevent, yet it often gets overlooked."
OIG notes it offered several recommendations for CMS to improve its security controls to address the wireless network vulnerabilities identified. In written comments, CMS concurred with all of OIG's findings and reported that it had already addressed several of them and is now addressing the rest.
McMillan suggests that healthcare entities and their business associates can help prevent wireless cyberattacks on their systems by taking several key measures.
"Follow sound practices for configuring wireless networks, use the latest wireless standards, encrypt appropriately and segregate wireless networks by asset criticality and/or risk," he says.