April 11,2019

Grassley Seeks Information about Information and Systems Security Vulnerabilities at the Department of Health and Human Services

WASHINGTON – Senate Finance Committee Chairman Chuck Grassley is seeking details on Department of Health and Human Services (HHS) plans to implement new information and cyber security policies to mitigate several vulnerabilities found in an inspector general audit.
 
On March 1, 2019, the Department of Health and Human Services Office of Inspector General (HHS OIG) released a report titled, “Summary Report for Office of Inspector General Penetration Testing of Eight HHS Operating Division Networks.”  The report was based on two years of extensive network security testing, which found scores of vulnerabilities ranging from “critical” to “low” risk in several offices and agencies within the department. Specifically, the HHS OIG report stated the likely level of sophistication needed by a prospective attacker to successfully infiltrate HHS Operating Division networks is low to moderate and does not require significant technical knowledge.
 
In a letter to HHS Secretary Alex Azar, Grassley requests an outline of what steps have already been taken to mitigate the vulnerabilities, the specific new agency-wide policies that have been implemented and timelines for further steps sufficient to close the recommendations.
 
Full text of the letter from Grassley to Azar follows. Text of the letter and the enclosed HHS OIG report can be found HERE. The enclosure has been redacted in consultation with the HHS OIG to ensure sensitive information is not inappropriately disclosed.
 
April 9, 2019
 
VIA ELECTRONIC TRANSMISSION
The Honorable Alex Azar II
Secretary
Department of Health and Human Services
 
Dear Secretary Azar:
 
The Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD?21), tasked Federal entities with strengthening the security and resiliency of critical infrastructure against physical and cyber threats.[1] The Department of Health and Human Services was designated to oversee and manage the health care and public health sectors in this regard.[2] In 2017, the Health Care Industry Cybersecurity (HCIC) Task Force identified the need to “[i]ncrease the security and resilience of medical devices and health IT” and “ensure cyber security awareness and education” in order to keep patients safe and protect their information from vulnerability or exploitation.[3] Cyber risks to the health care sector are real and increasing, and all reasonable efforts must be taken to combat them to protect individuals and their privacy.
 
On March 1, 2019, the Department of Health and Human Services Office of Inspector General (HHS OIG) released a report entitled, “Summary Report for Office of Inspector General Penetration Testing of Eight HHS Operating Division Networks.” [4] That report outlined the results of penetration testing of the Centers for Disease Control, National Institutes of Health, Indian Health Service, Health and Human Services Office of the Secretary, Substance Abuse and Mental Health Services Administration, Centers for Medicare and Medicaid Services, Food and Drug Administration, and Administration for Children and Families. These cyber tests took place during fiscal years 2016 and 2017 and were conducted by Defense Point Security (DPS) on behalf of HHS OIG.[5] These tests probed and analyzed the cyber posture and vulnerability from outside of the HHS Operating Division’s (HHS OpDiv) network security perimeter.[6]
 
The report uncovered some critical deficiencies and issues where HHS has room for improvement. Specifically, the HHS OIG report stated the likely level of sophistication needed by a prospective attacker to successfully infiltrate HHS OpDiv networks is low to moderate and does not require significant technical knowledge.[7] In addition, during testing the HHS OIG identified 197 vulnerabilities to include 37 classified as Critical, 36 High, 116 Medium, and 8 as low.[8] Moreover, HHS OIG “[was] able to gain access to various devices on the network, escalate privileges, evade detection, and gain unauthorized access to personally identifiable information (PII) at four of the eight OPDIVs that we tested.” [9] In gaining that access, the penetrations were able to access personally identifiable information for more than 9,000 records, which included phone numbers, address information, case information, and some photographs.[10] Further, HHS OIG found that “[v]ery little of our penetration testing activity was detected by HHS OpDiv monitoring controls.”[11]
 
HHS OIG issued several recommendations which include the use of standard security requirements, requiring contractors to comply with appropriate security standards, and improving continuous monitoring procedures.[12] While the HHS Office of Information Security (OIS) concurred with the recommendations, I would like clarification on what HHS has done to achieve these objectives.
 
Cyberattacks on our government systems are an emerging threat that foreign governments and other entities seek to leverage for their benefit.[13] Such serious vulnerabilities in protecting sensitive formation erodes the public’s confidence in these systems. The Department must take immediate, sustained, and effective action to reduce and eliminate these threats and better protect its systems.   
 
            Accordingly, please provide written responses to the following questions no later than April 23, 2019:
 
1.         Which HHS departments were notified via early alerts about the HHS OIG’s findings?
 
a.                   On what date(s) were the HHS departments notified of the early alerts?
b.                  What actions were taken to address the issues raised in the early alerts?
 
2.         Has HHS implemented any new agency-wide cyber policies to address concerns raised in
the HHS OIG report? If so, what are they and when were they implemented?
 
3.         With respect to the HHS OIG recommendations, please provide the Committee a written
summary, on a rolling basis if necessary, describing how HHS has implemented fixes
sufficient to close the recommendations.[14]
 
4.         Please provide the Committee a timeline outlining the implementation of the
recommended policies and anticipated dates of compliance.
 
In addition to answering the aforementioned questions, please provide a briefing to my staff no later than April 30, 2019, regarding the steps you have taken, or plan to take, to address the concerns raised by the HHS OIG report. I anticipate that your written reply and most responsive documents will be unclassified. Please send all unclassified material directly to the Committee. In keeping with the requirements of Executive Order 13526, if any of the responsive documents do contain classified information, please segregate all unclassified material within the classified documents, provide all unclassified information directly to the Committee, and provide a classified addendum to the Office of Senate Security. Although the Committee complies with all laws and regulations governing the handling of classified information, it is not bound, absent its prior agreement, by any handling restrictions.
 
Thank you in advance for your prompt attention to these matters. Should you have any questions, please contact Josh Flynn-Brown of my Committee staff at (202) 224-4515.
 
Sincerely,
 
Charles E. Grassley                            
Chairman                               
Committee on Finance
 
Enclosures: Redacted March 1, 2019, HHS OIG Report
 
-30-


[1] See Press Release, The White House, Presidential Policy Directive -- Critical Infrastructure Security and Resilience, PPD-21 (Feb. 12, 2013).
[2] Id.
3 Health Care Industry Cybersecurity (HCIC) Task Force, Report On Improving Cybersecurity In The Health Care Industry, at 21 (June 2017), available at https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf.
4 U.S. Dep’t of Health and Human Serv., Office of Inspector Gen., A-18-18-08500, Summary Report for Office of Inspector General Penetration Testing of Eight Health and Human Services Operating Division Networks (2019).
 
5 Id.at 1.
[6] Id. at 11.
[7] Id. at 17.
[8] Id. at 16 (noting that the Common Vulnerability Scoring System (CVSS) was used to measure the vulnerabilities). See e.g., National Vulnerability Database, available at https://nvd.nist.gov/vuln-metrics/cvss.
[9] Id. at 17.
[10] Id. at 21.
[11] Id. at 17.
[12] Response to Request for Additional Information from Memo, submitted December 19, 2018, OCIO Comments on OIG Report A-18-18-08500, entitled, Summary Report of Office of Inspector General Penetration Testing of Eight HHS Operating Division Networks.
[13] See Letter from Hon. Charles E. Grassley, Chairman, Senate Judiciary Comm., to Hon. Francis Collins, Director, National Institutes of Health (Oct. 23, 2018); see also Letter from Hon. Charles E. Grassley, Chairman, Senate Judiciary Comm., to Hon. Jeff Sessions, Attorney General, U.S. Department of Justice (Sept. 19, 2018).
[14] See Response to Request for Additional Information from Memo, supra n. 12, at 1.