A wireless penetration test of data centers operated by the Centers for Medicare and Medicaid Services has identified vulnerabilities in network security controls.

The testing by the Department of Health and Human Services’ Office of Inspector General was conducted at 13 CMS data centers and facilities using tools and techniques commonly used by attackers to gain unauthorized access to wireless networks and sensitive data.

“Although the Centers for Medicare and Medicaid Services had security controls that were effective in preventing certain types of wireless cyber-attacks, we identified four vulnerabilities in security controls over its wireless networks,” states an OIG report.

“The vulnerabilities that we identified were collectively and, in some cases, individually significant,” investigators said. “Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of personally identifiable information, as well as disruption of critical operations. In addition, exploitation could have compromised the confidentiality, integrity, and availability of CMS’s data and systems.”

According to OIG, CMS indicated that these vulnerabilities were the result of “improper configurations and failure to complete necessary upgrades that CMS previously identified and reported as having been currently underway.”

Auditors recommended that CMS improve its security controls to address the identified wireless network vulnerabilities. “When implemented, these recommendations should further strengthen the information security of CMS’s wireless networks,” adding that “because of the sensitive nature of our findings, we have not listed the detailed recommendations in this summary report.”

In its written response to the report, CMS concurred with all of OIG’s findings and stated that it had already addressed several of the issues and is in the process of taking care of the rest. The report notes that CMS commented separately on the more detailed information OIG sent to the agency, which indicated that it had accepted the responsibility for resolving the vulnerabilities.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access