US Capitol

Add the Health and Human Services department to the growing list of cyber-attack victims.

At least five Health and Human Services (HHS) divisions were attacked in a three year span between 2011 and 2013, according to a report released last week by members of the United States House Energy and Commerce Committee. The news continues the unfortunate trend of cyber-attacks against large companies and government organizations.

The report was commissioned by committee Republicans in 2013, who launched an investigation into security at HHS following an October 15, 2013, breach of the Food and Drug Administration’s network where a hijacker was able to bypass the security protocols of an internal network.

In addition to the FDA, the report found that breaches also occurred at the Centers for Medicare and Medicaid Services, the National Institutes of Health, The Substance Abuse and Mental Health Services Administration, and the Health Resources and Services Administration.

The report discovered that the breaches were caused by security issues that included staff errors, misconfigurations and failure to install critical patches. These errors were caused by conflicts with agency contractors, lack of information regarding security incidents, negligence and poor organization.

“While it is impossible to fully protect against cyber attacks, we have a responsibility to approach these issues with necessary foresight and diligence to minimize vulnerabilities and maximize security. We look forward to working with HHS, FDA, NIH, and others to develop solutions to better protect this information,” The House Energy and Commerce Committe Chairman Fred Upton (R-MI) and Oversight and Investigations Subcommittee Chairman Tim Murphy (R-PA) said in their joint statement. “Unfortunately, the bar has been set low and we have nowhere to go but up.”

The committee recommended removing CIOs from security-related responsibilities and moving the chief information security officers out from under the purview of the CIOs and into the general council, thus allowing experts from all departments of an organization to see and influence information technology decisions.

More information about this report can be found in the iHealthBeat press release.

[ image courtesy of U.S. House of Representatives Energy and Commerce Committee ]