Hackers, Taking Advantage of At-Home Work, Drilling into Fed Agencies
At HHS and HUD, cyber assaults have put contractor files and confidential personal information at risk.
Hackers are taking advantage of contractors and federal agencies who have workers forced to telecommute because of the pandemic, particularly those who have put the security of their online infrastructure on the back burner. according to a government watchdog report Monday. One of their latest victims: the Department of Health and Human Services, or HHS.
HHS, like other agencies with a role in the development of COVID-19 safety guidelines and a vaccine, rely on computerized information systems to collect, analyze and store highly sensitive information.
Back in February GAO said that HHS “had not collected or reported improvements resulting from the cybersecurity framework’s use.” HHS agreed to implement its recommendations, it said. But as recently as July, HHS had “not implemented them.”
The Department of Housing and Urban Development, or HUD, also got a bad report card on cybersecurity from the GAO, the investigative arm of Congress. It’s still not adequately protecting its customers’s files, the agency said.
HHS, meanwhile, “has been the target of sophisticated daily cyberattacks for the last several months,” according to a former chief information officer cited by the GAO. The official, who was not named, did not identify any suspects in the attacks.
The targets at HHS included patient information, intellectual property and public health data. Recently, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, also described “significant attacks on numerous other health care organizations, such as pharmacies, academic institutions, and medical research organizations,” the report said.
In May, the FBI and CISA alerted stakeholders that the healthcare and pharmaceutical sector are “prime targets” for Chinese hackers looking to get access to the latest covid-related research developments.
Bryan Ware, CISA’s assistant director, on Friday instructed agencies to apply a security update on all Microsoft’s Windows servers because a recently discovered flaw in the authentication system could give enough access to an unauthorized attacker to compromise all identities in Windows’ directory database.
But in a virtual event held last week by MeriTalk, a private news site focused on government technology developments, HHS Chief Information Security Officer Janet Vogel defended the agency’s efforts to better secure its infrastructure.
“We have employed tools, we have recruited people, and just done about everything you could think of to keep up with the speed of change that we're dealing with,” Vogel said.
Vogel maintained that, until this year, the department “wasn’t thought of as a premier area” for hackers. But the recent attacks “ramped up faster than we really anticipated it could or would,” she said.
The federal government has already suffered major foreign-based cyberattacks, particularly from China. Perhaps the most notorious was the 2015 theft of some 21.5 million files from the Office of Personnel Management, which holds private information on virtually every federal worker, including Social Security numbers and fingerprints gathered during security clearance investigations. The attack was attributed to hackers working for the Chinese Government.
Since 2016, the GAO has provided almost 450 IT security recommendations for federal agencies to address. Three years later, in 2019, it categorized the healthcare industry as a “high risk” area prone to cyberattacks. Last July, federal agencies had implemented 350, or about 81% of the recommendations, the GAO report found.
HHS did not respond to the GAO’s recommendation to improve the weaknesses in the department’s cybersecurity efforts.
With election campaigns in full gear and the legislative clock running out until a new Congress takes over in January, lawmakers have a scant chance at scheduling a hearing on this latest GAO cybersecurity report. In 2018, the House Subcommittee on Oversight and Investigations held a closed-door hearing to examine a previous GAO cybersecurity audit. Witnesses included top officials from HHS and the Centers for Disease Control and Prevention.
Housing Data Hit
Four years after reporting that the personal files of almost 500,000 Americans safeguarded in its system had been compromised, the Department of Housing and Urban Development is still failing to protect citizens’s sensitive information, including Social Security numbers, phone numbers, home addresses and dates of birth, the GAO said.
Personal information collected by HUD is shared with contractors and offices within the department to verify tenant eligibility for various programs and to process rental assistance payments. But HUD hasn’t established a system to ensure contractors are protecting the shared data, leaving it out in the open for hackers to manipulate, the GAO said.
In one of two 2016 incidents, HUD admitted to having posted personal information on almost 430,000 public housing residents on its website. HUD said it would offer a year of free credit monitoring services to those affected.
After the incidents, the department came forward with a plan to avoid further mistakes. It called for providing specialized privacy training to all program offices and field staff, but it did not address the management of private information provided by other agencies and contractors.
“While HUD required the federal entities with which it exchanges information to implement risk-based security controls, it did not have this same requirement for non federal entities, including state and local government, for-profit, and nonprofit organizations,” the GAO found.
In addition, HUD has failed to prioritize updating its privacy policies; tracking what information is shared with contractors; and creating a database that will monitor what personal information has been shared and with whom, the GAO said.
The department neither agreed nor disagreed with the GAO’s recommendations. David Chow, HUD’s chief information officer, said in a letter the department was “taking actions to correct the noted deficiencies” in the report.