Friday, August 19, 2016

OIG: CMS data center wireless systems susceptible

A wireless penetration test of data centers functioned by the Centers for Medicare and Medicaid Services (CMS) have recognized susceptibilities in network security controls.


The testing by the Department of Health and Human Services’ Office of Inspector General was performed at thirteen CMS data centers and services utilizing tools and techniques usually utilized by attackers to acquire unauthorized approach to wireless networks and sensitive information.


“However the Centers for Medicare and Medicaid Services (CMS) had security controls that were effective in stopping few kinds of wireless cyber-attacks, we recognized 3 major susceptibilities in security controls over its wireless systems,” claims an OIG report.


“The susceptibilities that we recognized were collectively and, in few cases, individually significant,” investigators stated. “However we didn’t recognize evidence that the susceptibilities had been exploited, exploitation could have resulted in unauthorized approach to and disclosure of personally identifiable data, as well as disruption of critical operations. Additionally, exploitation could have compromised the confidentiality, integrity, and presence of CMS’s information and wireless systems.”


In accordance to OIG, CMS demonstrated that these vulnerabilities were the outcome of “improper configurations and failure to complete essential upgrades that CMS initially identified and reported as having been presently underway.”


Auditors suggested that CMS should make better its security controls to deal the identified wireless system vulnerabilities. “When executed, these suggestions should further strengthen the data security of CMS’s wireless systems,” adding that “due to the sensitive nature of our findings, we’ve not listed the detailed suggestions in this summary report.”


In its written response to the report, CMS concurred with all of OIG’s findings and claimed that it had already dealt several of the problems and is in the procedure of taking care of the rest. The report points out that CMS commented separately on the more detailed information OIG sent to the organization, which demonstrated that it had accepted the responsibility for resolving the susceptibilities.


 

No comments:

Post a Comment