The cybersecurity audit by the Department of Health and Human Services’ Office of Inspector General (HHS OIG) has unveiled alarming vulnerabilities within the Department of Health and Human Services’ Office of the Secretary (HHS OS). These deeply concerning failures in healthcare cybersecurity present significant and immediate threats to the integrity and security of sensitive health data, potentially placing millions of individuals’ private information at risk.

Moreover, the report highlights the possibility of unauthorized access and control over critical systems, which could have devastating consequences for public health infrastructure and response mechanisms.

The central message is clear: Prioritizing cloud security and ensuring proper controls are vital to protect sensitive health data and prevent data breaches.

Initial strategic recommendations for securing HHS cloud data

In the report, HHS OIG made four pivotal recommendations to enhance its cloud security posture. These recommendations are best practices for any agency or healthcare organization facing similar risks. They involve developing procedures for accurate cloud system inventories, remediating control findings per National Institute of Standards and Technology standards, implementing strategies for prompt assessment and remediation of weak controls, and ensuring qualified staff are assigned as special security officers (SSOs).

HHS and other healthcare organizations may consider adopting additional practices based on these recommendations. For instance, integrating API, agent, network and snapshot vulnerability discovery can help identify weaknesses across dimensions. Utilizing AI-powered cloud detection and response (CDR) to identify various attack vectors can enhance security. Additionally, incorporating infrastructure-as-code (IaC) analysis helps find configuration issues preemptively. Lastly, cloud infrastructure and entitlement management (CIEM) should be used to validate user and asset privileges.

However, to comprehensively secure HHS cloud environments, agencies and healthcare organizations should look beyond these initial recommendations to include advanced and holistic cyber risk management tactics:

Adopt zero trust and real-time threat intelligence

Beyond these practices, agencies might consider adopting a zero-trust architecture, which fundamentally shifts the security posture to “never trust, always verify.” This step involves continuously monitoring and validating all users and devices, regardless of their location relative to the network perimeter. Combining this with real-time threat intelligence and behavior analytics could enhance predictive threat detection. Additionally, establishing a comprehensive incident response plan that is regularly updated and tested ensures preparedness for mitigating breaches swiftly and effectively. Finally, fostering a security culture through ongoing training and awareness programs for all employees can significantly reduce human error, a common vulnerability in government cloud environments.

Integrate AI and automation to reduce risks from manual processes

The HHS OIG report’s methodology, relying on manual documentation and interviews, exposed inherent inefficiencies. Manual documentation of systems is labor-intensive and prone to inaccuracies, particularly in the dynamic environment of modern cloud services, which can span servers, automation scripts and microservices. A CNAPP directly automates cloud services’ identification and correlation, ensuring comprehensive visibility and up-to-date inventory management, thus mitigating the risks inherent in manual processes.

Deploy CNAPPs to mitigate risk and ensure compliance

The penetration testing performed during the HHS OIG audit revealed vulnerabilities attackers could exploit to gain unauthorized access and elevate privileges. A CNAPP, with its comprehensive vulnerability detection and mitigation capabilities, could help preempt such vulnerabilities. CNAPPs also integrate cloud security posture management (CSPM), automating the analysis of cloud configurations and ensuring continuous compliance with standards like NIST SP 800-53 rev 4, ultimately limiting successful exploitation by domestic and foreign adversaries.

The multifaceted nature of cloud environments necessitates various vulnerability detection methods. Relying on a single process will leave the method blind to certain risks. Advanced CSPMs ensure continuous monitoring and compliance, promptly identifying high-risk issues such as exposed data repositories and misconfigured settings. Automating these processes is crucial for maintaining security integrity and preventing future breaches.

Use zero-day detection to identify and neutralize cyber threats

It’s also essential to recognize that even the most robust security measures can’t eliminate risk. Adversaries often evolve faster than agencies can mitigate vulnerabilities, and human error remains a significant factor. Therefore, agencies must manage risks and actively defend against attacks. Advanced CDR methods that use zero-day detection techniques can help identify and neutralize threats before they become breaches. Such systems would have forestalled many exploits the HHS OIG report identified.

Bridging visibility gaps: A path forward for cloud security

As a final note, the security findings of the HHS OIG report serve as a stark reminder of the critical importance of robust cloud security measures to protect healthcare data.

Agencies like HHS must act quickly and decisively to secure their cloud environments, ensuring the protection of sensitive data and compliance with regulatory standards. For instance, adopting comprehensive CNAPPs and advanced CDR methods can bridge visibility gaps, automate compliance and fortify defenses against increasingly sophisticated cyber threats.

By proactively managing cyber risk using these recommendations, healthcare organizations and other agencies can build a robust defense against the ever-evolving landscape of cyber threats, secure their cloud environments and protect sensitive patient data from potential breaches.

Kunal Modasiya is vice president of product management at Qualys.

Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.