Covid-19

Covid-tracking program lacked bare minimum cyber protections


Welcome to The Cybersecurity 202! Volcanoes are amazing. I might see my first one in person during an upcoming trip.

Below: Researchers say a newly disclosed hacking campaign could be the work of contractors, and Android health apps share privacy data with advertisers. First:

A little-seen watchdog report revealed big cybersecurity shortcomings for an HHS program

The Department of Health and Human Services (HHS) failed to implement basic protections against hackers when it developed a system to track covid-19 data in 2020, according to an internal watchdog report it never made publicly available.

The inspector general report concluded that those failures before deployment of the HHS Protect program left it “susceptible to an unknown and possibly unacceptably high risk of failure or compromise from unintentional disruptions (e.g., man-made or natural disasters) or cyberattacks.” A successful attack could’ve hampered pandemic response, the report concluded.

Dated Nov. 2, 2021, the report got a public release of only its title two days later. My colleague Nate Jones obtained the full report last month under a Freedom of Information Act request, which cited “restricted, sensitive information” as the reason for its limited distribution.

The report also found similar failings in another, related HHS program called TeleTracking. But on Aug. 24 — the same day the inspector general (IG) delivered the report to The Washington Post — the IG rescinded the whole report. It cited unspecified inaccuracies in the part of the report that scrutinized TeleTracking.

Just last month, the leaders of the Cyberspace Solarium Commission (now known as CSC 2.0) wrote to HHS, citing concerns about how well it was helping to secure the health and public health sector.

“This indicates that the other half of their responsibility is equally challenged,” Mark Montgomery, executive director of CSC 2.0, told me, referring to HHS’s need to defend its own information technology. “To fix both of these elements is going to take a lot of senior leadership bandwidth.”

HHS Protect collects information such as case counts, hospital capacity, and population and demographic data from federal, state and local governments, as well as the health-care sector.

When HHS deployed HHS Protect in April of 2020, the program hadn’t completed work on some “foundational controls” on cybersecurity, according to the audit, which found that the department didn’t fully:

  • Assess the potential privacy impact of the program.
  • Identify threats and risks.
  • Provide an overview of security requirements and describe the protections in place to meet them.
  • Determine the potential impact of the program being disrupted.
  • Systematically evaluate it for vulnerabilities.
  • Write a plan on how to restore disrupted systems.

Furthermore, no agency official initially gave HHS Protect an “authorization to operate,” an explicit acceptance of the program’s risks to HHS operations. That final authorization arrived nine months later, and as of early last year, it also still hadn’t completed a risk assessment or contingency plan.

HHS did not answer requests for comment about whether it had addressed…



Read More: Covid-tracking program lacked bare minimum cyber protections

You might also like More from author

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Live News

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

We respect your privacy and take protecting it seriously