In March, 2014 the OIG published details of a penetration test that they conducted on the Indian Health Service (IHS), to determine whether IHS network systems were susceptible to compromise by cyber attacks. In 2011, during a separate IT general controls audit of the IHS, OIG found their network security controls to be adequate and therefore, decided to perform further testing in the form of an external penetration test.
Indian Health Services (IHS), which is 1 of 12 HHS operating divisions, provides health services through health programs operated by Native American tribes and through services purchased from private providers. The system consists of 28 hospitals, 61 health centers, 34 health stations and 33 urban Indian health projects that provide a variety of health and referral services.
During this test in June of 2013, the OIG was able to gain unauthorized access to one of the IHS’ web servers, which allowed them to obtain user account and password data from the internal network — a “high” security risk. OIG testers were able to take control of an IHS computer, including records in a file system. Overall, the OIG found the security of IHS to be deficient and made a total of 6 recommendations. The specific details of the recommendations were not published due to the sensitive nature of the vulnerabilities but were provided to the HIS so they can address the issues that were identified.
The report warned that this audit was the first of a series of OIG HIPAA audits planned to include penetration testing of HHS and its operating division’s networks. Recently, we wrote that the Office of Inspector General (OIG) will also be evaluating the security of covered entities and their business associates (read the post here). The question for these organizations is, are more OIG penetration tests coming?
While not explicitly specified by the HIPAA regulations, penetration testing is a generally accepted security control to validate the security of systems. The HIPAA regulations incorporate the principle of scalability – organizations are expected to implement security measures appropriate for the size, complexity and sophistication of the organization. With HIPAA there is no hard and fast rule regarding which covered entities should conduct pen tests. Very small organizations such as physician practices can generally argue that a penetration test is not necessary. Eagle Consulting recommends that medium-sized and larger covered entities—and business associates offering cloud computing services to covered entities—conduct their own penetration tests, before the OIG comes knocking.
