Key Takeaways:
- In March, the Office of Inspector General of the Department of Health and Human Services (OIG) published a report of its audit of Administration for Children and Families (ACF) “data hosted in certain cloud information systems.”
- The report explains that the audit is part of a series examining “whether HHS and its Operating Divisions have implemented effective cybersecurity controls for cloud information systems in accordance with Federal security requirements and guidelines.”
- Organizations subject to regulation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule may want to consider this report in developing their HIPAA security risk analyses and risk management plans for cloud services because, even though the ACF OIG audit applied different federal requirements and guidelines, the security controls assessed by OIG include widely accepted best practices for cloud security that can be mapped to HIPAA requirements.
Introduction
The OIG, the nation’s leader in fighting fraud, waste and abuse of Medicare, Medicaid and other HHS programs, periodically publishes reports on how federal healthcare programs could improve. One of these recent reports, Report No. A-18-22-08020, examined ACF’s cloud security controls “to determine whether [ACF] (1) accurately identified and inventoried its cloud computing components and (2) implemented security controls in accordance with Federal requirements and guidelines.” The audit encompassed the following components: a) review of the ACF cloud inventory and policies and procedures, b) analysis of ACF’s configuration of its vulnerability scanners, c) external, internal and web application penetration testing, and d) two phishing simulations targeting selected ACF personnel. The penetration testing was performed by a private sector cybersecurity firm engaged by OIG. Ultimately, OIG found an incomplete cloud systems inventory and 19 security control deficiencies to be remediated, and made a recommendation to use cloud security tools to identify misconfigurations and weak controls. HIPAA covered entities should take note of these findings. Although federal agencies are subject to different requirements than private sector entities, this OIG audit considered industry best practices for cloud security that covered entities could tie back to their HIPAA security programs.
OIG Findings
Cloud Inventory
The OIG found that ACF “failed to maintain policies and procedures to inventory and monitor cloud information system components,” and missed certain cloud-hosted websites, which were identified by OIG through the penetration test. Therefore, the OIG found that ACF had not properly maintained a cloud inventory as required by NIST 800-53. OIG pointed out that, if cloud systems are not identified on the inventory, application of security controls to those cloud systems may be overlooked. This finding is precisely why all security frameworks include a foundational inventory requirement. Entities must know what systems and data they are trying to protect before the entities can even attempt to protect them.
“Critical” Risk Findings
The most serious findings, in terms of security control deficiencies, were in the areas of access controls and system and information integrity, specifically access enforcement (AC-3) and information input validation (SI-10). For access enforcement, OIG found that “ACF did not prevent unauthorized exposure of sensitive information within 11 cloud components.” For information input validation, OIG found that “ACF did not adequately sanitize or verify information system input for two public-facing web applications hosted in the cloud.” HIPAA covered entities should note that if these findings sound similar to practices at their organization, they should prioritize making improvements to their security controls.
Additionally, ACF failed to “prevent unauthorized exposure of sensitive information within 11 cloud components.” This failure to adequately control access to cloud systems is especially serious considering that, according to the OIG, the data ACF maintains is so sensitive it could be used for “child exploitation.” Public exposure of, or impacted access to, information through misconfigurations of cloud services has bedeviled consumers since the inception of such services, because configuring access to avoid such exposure is not always simple, and configuring access controls is the customer’s responsibility. Given the complexity of enterprise cloud platforms and their constant evolution, configuring access properly requires specific expertise in the subject cloud service. Organizations with sufficient resources should consider engaging an independent expert to assess whether their configuration is secure and controls access as intended, and/or, as OIG recommended, using cloud security tools designed to identify insecure configurations.
ACF also “did not adequately sanitize or verify information system input for two public-facing web applications hosted in the cloud.” Input validation, a control designed to prevent the successful execution of hacking techniques that rely on malicious user input, has a long history as a well-established control against key web application security threats like SQL injection or cross-site scripting attacks. This type of vulnerability is commonly identified through pen testing and addressed by current cloud security tools.
“High” Risk Findings
OIG also identified ten “high risk” control deficiencies. These included controls in the areas of access control, security assessment and authorization, audit and accountability, configuration management, system and information integrity, and identification and authentication. While discussion of each of these findings is beyond the scope of this blog post, many of them involve controls that are now widely regarded as fundamental, including, but not limited to, failing to implement multifactor authentication for privileged accounts, failing to install software security updates, and restricting access to the minimum necessary.
Managing Risk
In comments to the report, ACF agreed with OIG’s recommendations and described its risk management plan. ACF’s risk management plan may be representative of the kinds of actions many organizations consider taking in pursuit of enhancing controls and maturing their security programs – for example:
- Transitioning its inventory process from using spreadsheets to a more formal Governance, Risk and Compliance platform, automating asset discovery and management, improving its procurement and development processes to ensure that new assets are appropriately identified and catalogued, and including in its inventory additional information such as the purpose of the asset and system supported
- Investing in a “Next Generation Secure Cloud (NGSC) infrastructure project” involving automation of code management, testing and scanning, default implementation of encryption at rest and in transit, application and network monitoring and logging, and network isolation
- Implementing cloud security baselines using the Defense Information Systems Agency’s Security Technical Implementation Guides (“STIGs”) and/or Center for Internet Security (“CIS”) Benchmarks
- Deploying technical tools such as endpoint detection and response (“EDR”) and file integrity monitoring, and passive and dynamic code scanning
- Enhancing penetration testing services and expanding vulnerability monitoring capabilities with a more up-to-date web application scanning tool
Note that the ACF comments do not name any cloud security services or tools or identify them according to any of the many monikers coined by industry analysts for the ever-evolving categories of cloud security tools flooding the market, designed and advertised as solutions that address the kinds of issues flagged by the OIG audit. These include sometimes overlapping and differently defined categories, such as cloud security posture management (“CSPM”), cloud workload protection platforms (“CWPP”), extended detection and response (“XDR”), secure access service edge (“SASE”), and cloud native application platforms (“CNAPP”).
The market for these types of cloud security services is dynamic. It can also be confusing to potential customers because the services overlap and vary in what capabilities are included (even within categories); the names of both the categories and the services are constantly changing; and the number of acronyms involved is astounding, even for cybersecurity, a notoriously acronym-heavy discipline. Given the inevitable integration of cloud services into any modern IT environment, organizations will have to look past the jargon and marketing language for an informed consideration of whether they should be deploying any of these cloud security services. This will be challenging for organizations without dedicated information security resources or with small IT units where the information security function is embedded in operational roles, potentially requiring outside experts.
Conclusion
An undeniable truth demonstrated starkly by the OIG ACF audit report is that as IT continues its inevitable shift to the cloud, and the volume and variety of cloud services continues to increase, cloud security expertise has become essential. The federal government is checking itself on this, so it is only a matter of time until HIPAA covered entities find themselves on the receiving end of an audit of the same. HIPAA covered entities should evaluate this audit and be proactive in evaluating their own practices, as the controls assessed here also map to HIPAA security requirements.
[View source.]
