A look into whether one HHS component is properly securing its cloud information systems

A new audit looks at how one agency within the Department of Health and Human Services (HHS) manages its cloud computing assets.

A new audit looks at how one agency within the Department of Health and Human Services (HHS) manages its cloud computing assets. The HHS inspector general looked specifically at the Administration for Children and Families. To learn more, Federal News Network’s Eric White spoke to the Assistant Inspector General for Cybersecurity and IT audits, Tamara Lilly on the Federal Drive with Tom Temin.

Interview Transcript:

Tamara Lilly So each year we look at what work we want to accomplish and we plan it out. And in the case of this work, after, you know, lots of headlines, we keep on top of what’s going on and when and what is having the greatest impact on the government in this case with regards to cybersecurity in a not so positive way, and decided from that to focus a body of work, a series of audits on cloud computing at HHS. And this is just one of several entities within HHS where we all do this type of assessment.

Eric White Gotcha. And yeah, before we get actually into the report itself, since a lot of folks probably aren’t aware of it, what is the administration for Children and families and what role do they play within HHS?

Tamara Lilly Well, for HHS, the Administration, for Children and Families, their mission is to foster the health and well-being by providing federal leadership and partnership and resources for the compassionate and effective delivery of human services. The program offices are specialized to support a variety of initiatives that are intended to empower families and individuals, and improve access to services to create strong and healthy communities.

Eric White So in examining them, what kinds of cloud inventories do they actually have and utilize for that mission? And what did you all find when you looked at them?

Tamara Lilly So ACF uses cloud services, actually uses information systems in general to provide those types of services to the populations and communities they serve. So for example, probably one of the more well-known programs that ACF runs is the Unaccompanied Children program. And there are other programs around health and education. So in delivering those services and in accordance with a mandate from the Office of Management and Budget, which is published in 2019, ACF, along with all of government, were required to accelerate their transition or their adoption of cloud based solutions. And the reason being is these solutions offer agencies the ability to perform their tasks, their missions in a way that is more cost effective because they are able to increase decrease as their resources dictate.

Eric White We’re speaking with Tamara Lilly, assistant inspector general for cyber security and IT audits at the Health and Human Services Inspector General. And so how did they do? What did they have in place to safeguard any of that information that is stored on their cloud computing assets.

Tamara Lilly Overall, we found there are opportunities for them to improve. While some of the security mechanisms that are in place or these cloud information systems were effective in that we had conducted some phishing attacks, those are the attacks with the emails trying to convince users to click on a link or such. In order for an adversary to steal your information. Those types of attacks, we found overall that they prevented our attempt to attack them. And also we found that with some of their systems that are used to interact with the public, that they were able to prevent some of our simulated cyber attacks with those as well. However, we also found that several other security controls were not as effectively implemented to protect against some other simulated attacks that we performed. Overall, we found that there were 19 security controls in the cloud systems environment that need to be improved in order to comply with federal requirement.

Eric White Yes. And you all made a series of recommendations, as the IG usually does. What did those include? And was there any response from the agency, the ACF itself?

Tamara Lilly Yes, they actually spanned numerous controls, for example, access enforcement, lease privilege. So all these together are the controls that should be implemented to prevent those that shouldn’t have access to the system, don’t have that access that in this case only provides the access that’s needed for their employees to do their jobs. So overall, what we found is that those controls, those 19 controls should be remediated. We also found that taking a step back. One of the challenges that ACF had was inventorying properly or accurately their cloud information systems. And this is important because knowing what you have in your environment will dictate or assist you in deciding how to protect it and what protections should be in place. So we found that they lacked some policies and procedures around how to accomplish that and to maintain sustained and accurate inventory. We also found that they lacked some much needed procedures that would detail for their IT, their information technology, operational staff on how to implement some security baselines or some security mechanisms in those cloud environments, such that they comply with HHS as well as overall federal government requirements. And with regards to those simulated attacks that we successfully accomplish, we learned that some of the cloud configurations were weak. And so we recommended that they again become familiar with and implement the controls necessary to prevent those types of simulated attacks.

Eric White Can we talk a little bit about the stakes here? You mentioned how the agency didn’t necessarily have a good grasp of the sorts of data that it had in its inventory. Are we talking about, you know, personally identifiable information for unaccompanied children, or is there a, I guess, a high risk of somebody actually wanting to get hold of this information from the department?

Tamara Lilly So just to clarify, it wasn’t that we found that the data specific data was at risk. What we found is that the controls around protecting that data were not strong or as strengthened as they should be. And then therefore, the potential for exposure of that sensitive information was of concern to us. So in that regard, we overall found that there was an opportunity for ACF to improve and tighten up those to prevent such leakages from happening, in which case would and potentially could have a detrimental effect on those that they service in the communities that they provide assistance to.

Eric White Gotcha. Okay. Thanks for the clarification there. And so in your analysis of it, what are the you know, I’m just curious is, is this an exposure that is always there and could always be improved upon just because of the public engagement that this agency in particular has and the levels of, you know, it’s just going to be more about having due diligence and making sure the policies are in place. Or is there some way that you can, you know, is cloud computing with a public facing mechanism always going to have these risks associated with them?

Tamara Lilly I will say, and it’s a good question. It is the nuance, if you will, of cloud computing that increases the risk for agencies and for any entity that is sharing responsibility. So the whole model with cloud computing is that some service provider or some other entity, a contractor, provides some part of the system and that then the entity doing the contracting provides another or other parts of the system or software, and together they work to provide or accomplish a mission or a task or such. And whenever you have more than one, the risk is that, of course I might do what I’m supposed to do. You may not do what you’re supposed to do, or vice versa. Or we do a little bit of not enough on both cases. So that’s more of a risk in the cloud computing environment. And so in this case, it’s important that both parties clearly identify who should be doing and who is responsible for doing what, that they create the policies and procedures around how that should be done, how often it should be done, and also around it who should be doing it. And then one other consideration is that they test, test and test and retest to ensure that those mechanisms or security mechanisms they put in place will actually protect the systems and the data that those systems contain from adversarial attacks, and, ironically, also protect against the unintentional mishaps that could be a result of bad weather events or, well-intentioned employee clicking on the wrong thing.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories