Data Stored in HHS Cloud Environment at Risk of Compromise, OIG Says

The Office of Inspector General within the Department of Health and Human Services has looked into the cloud environment of the HHS Office of the Secretary and found that data stored in the system are potentially at risk of compromise.

Using a network vulnerability scanner and a cloud security assessment tool to analyze the configuration settings of the cloud environment, the OIG found that several key security controls are not implemented in accordance with federal requirements and guidelines.

The ineffective implementation was due to the failure of HHS OS system owners and system security officers to identify their information systems as cloud systems, the OIG said.

To address the issues, the OIG recommended using cloud security assessment tools that identify misconfigurations and other control weaknesses in cloud services and ensuring qualified staff are assigned as system security officers for the cloud systems.

The HHS OS agreed to implement the recommendations.