The Department of Health and Human Services (HHS) faces significant cloud security vulnerabilities, as highlighted in a recent audit by the Office of Inspector General (OIG). The report reveals weaknesses in a dozen security controls and inadequacies in HHS’ cloud inventory processes. Critical issues include a lack of multifactor authentication for privileged accounts and insufficient encryption for web traffic. Experts emphasize that these problems are common in healthcare organizations, often due to reliance on default configurations and a misunderstanding of cloud providers’ security responsibilities.
The audit also uncovered that HHS has not accurately identified all its cloud systems, lacking documented procedures to verify cloud inventories. Oversight increases the risk of cyberattacks on misconfigured or unpatched systems. The OIG recommends several measures, including developing accurate inventory procedures, remediating identified weaknesses, and ensuring qualified personnel manage cloud security. HHS has agreed to implement these suggestions.