The HHS OIG says the Administration for Children and Families stored data in an at-risk cloud system.
What happened
The Health and Human Services’ Office of Inspector General (HHS OIG) recently released a report showing that the Administration for Children and Families (ACF) may have placed data at risk in its cloud information system by failing to adequately safeguard its infrastructure and software.
The ACF is designed to support and offer initiatives that empower families and improve access to services that create strong, healthy communities. Projects include refugee resettlement, childcare, and more.
In late March, the OIG conducted an audit of the ACF and found that the ACF did not have an accurate inventory of all its cloud computing assets.
The audit determined some security controls were in place to protect cloud information systems, but were not implemented across the board in compliance with federal regulations. The report also found that the ACF did not conduct adequate testing to identify vulnerabilities proactively.
Ultimately, the OIG found that certain systems may be at a “high risk of compromise.”
Going deeper
The OIG conducted this audit to determine if the ACF aligned with HHS policies, federal requirements, and security controls determined by the National Institute of Standards and Technology (NIST).
ACF uses cloud services to process, store, and transmit ACF-related information. The OIG found that approximately 62% of ACF’s information systems were hosted by cloud service providers.
Their findings indicated that security control of access enforcement and information input validation were both at critical levels of vulnerability. Many other security components were at a high or medium level of vulnerability.
Following the findings, the OIG made the following recommendations for the ACF:
- Updating and maintaining a complete and accurate inventory of information systems hosted in the cloud,
- Remediating the 19 security control findings in accordance with NIST SP 800-53,
- Updating its cloud security procedures to include detailed steps for staff to implement cloud security following HHS requirements,
- Leveraging cloud security assessment tools to identify weak cybersecurity controls in the infrastructure,
- Conducting testing of cloud information systems that include emulation of an adversary’s tactics and techniques.
ACF responded to the OIG, generally agreeing with recommendations and describing steps the administration had already taken to reduce vulnerabilities in its cloud infrastructure.
Why it matters
Audits like this help determine where an organization stands regarding security requirements. To conduct the audit, the OIG tested and probed various components of ACF’s cloud infrastructure and software.
While an audit is highly beneficial, organizations should consider conducting these tests themselves regularly to ensure compliance with the NIST, federal regulations, and any other requirements.
The big picture
In the past, government bodies have received criticism for failing to meet their own federal regulations. Audits are a step in the right direction to improve accountability and promote public awareness.
While the recommendations for the ACF will take time to implement, it’s necessary that the public, and the organizations themselves, are aware of the importance of maintaining data security and compliance.
Read more: HIPAA Compliant Email: The Definitive Guide
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.