How a Cybersecurity Audit Can Identify Risk of Compromise

While some organizations are still recovering from the effects of the Change Healthcare cyberattack, others are working to develop a robust cybersecurity infrastructure.

As these attacks become more sophisticated and the extent of their damage grows, organizations must be vigilant when it comes to patient data and information.

When conducting cybersecurity audits, the HHS Office of Inspector General (OIG) uses their findings to provide recommendations to help strengthen the subject’s security. For example, in a recent audit of the office’s Administration for Children and Families division, OIG found that data hosted in certain systems were at a high risk of compromise due to the following:

• Cloud computing assets weren’t identified and inventoried accurately.
• While there were some security controls in place, several others weren’t implemented in accordance with federal requirements/guidelines.
• ACF didn’t perform adequate cloud and web application technical testing techniques against its systems.

In addition to reviewing ACF’s cloud computing assets, OIG looked at the configuration of the division’s scanners, performed internal, external, and web application penetration tests, and even conducted two simulated phishing campaigns.

“We made a series of recommendations to ACF to improve its security controls over cloud information systems, including that it updates and maintains a complete and accurate inventory,” OIG said in a statement on the audit.

Some organizations use multiple vendors for things like electronic health records, remote patient monitoring, and even to complete revenue cycle processes. Cloud computing assets can store vendor software and data but, as the OIG’s audit showed, lax security controls can increase their risk of being compromised.

Adam Zoller, chief information officer at Providence Health, previously explained the challenge of aligning healthcare’s cybersecurity standards with vendors.

“As a large hospital system, we are relying on hundreds of third parties,” he said. “And when some of those devices are 100% vendor-managed, they often won’t modify anything.”