The inspector general’s report concluded that these failures left the HHS Protect program before it was deployed “Vulnerable to an unknown and potentially unacceptably high risk of failure or exposure to unintended disruptions (e.g., man-made or natural disasters) or cyberattacks.” A successful attack could have hampered response to a pandemic, the report concluded.
The report, dated November 2, 2021, was released with its title only two days later. my colleague Nate Jones received the full report last month as part of a Freedom of Information Act request, which cited “restricted, sensitive information” as the reason for the restricted disclosure.
The report also found similar flaws in another related HHS program called TeleTracking. But on August 24 — the same day that the Inspector General (IG) delivered the report to the Washington Post — the IG revoke the whole report. It cited unspecified inaccuracies in the part of the report examining TeleTracking.
Just last month, leaders of the Cyberspace Solarium Commission (now known as CSC 2.0) wrote to HHS raising concerns about how well it is doing to keep the health and public health sectors safe.
“This suggests that the other half of their responsibilities are equally challenged,” Mark Montgomery, executive director of CSC 2.0, told me, citing HHS’ need to defend its own information technology. “It takes a lot of leadership bandwidth to fix those two elements.”
HHS Protect collects information such as case counts, hospital capacity, and population and demographic data from federal, state, and local governments and the healthcare sector.
When HHS launched HHS Protect in April 2020, the program was still working on some “basic controls” of cybersecurity, according to the auditwhich found that the department did not fully:
- Evaluate the potential privacy impact of the program.
- Identify threats and risks.
- Provide an overview of the security requirements and describe the protective measures to meet them.
- Determine the potential impact of program disruption.
- Analyze it systematically for weaknesses.
- Write a plan to recover failed systems.
Additionally, no official from the agency initially granted HHS Protect an “operate permit,” express approval of the program’s risks for HHS’s operations. That final approval came nine months later, and by early last year it hadn’t completed a risk assessment or contingency plan either.
HHS did not respond to requests for comment on whether it had addressed the deficiencies noted in the report. According to the report, “The HHS Office of the Chief Information Officer stated that some pre-launch cyber assessments were conducted on an ad hoc basis and they believed, based on their expertise, that HHS Protect was secure when deployed. However, we could not verify that OCIO conducted cyber assessments as no documentation was produced.”
All of this posed serious risks for HHS, the audit found.
“While HHS did not report a major incident for HHS Protect or TeleTracking during our audit period, HHS systems continued to be prime targets for cyberattacks,” the IG report reads. “If an attack had been successful, the systems or data could have been potentially destroyed or compromised, and HHS might not have been able to recover the systems or data in a timely manner, significantly hampering critical pandemic response efforts. “
But the report at least partially defends HHS for how it set up the programs.
“Cybersecurity controls for both systems were not implemented prior to deployment because HHS officials prioritized deploying the systems for operational deployment to fulfill the agency’s mission to combat the Covid-19 pandemic, rather than meeting all federal requirements prior to deployment to fulfil.”
A former government official, who spoke on condition of anonymity because he is not authorized to speak publicly, was less understanding. “Oof,” they said in a message to me about the lack of a privacy impact assessment. “That would have been the absolute minimum for this system.”
A spokesman for IG said they could not discuss what was inaccurate about the TeleTracking check. In the report, HHS rejected three IG recommendations, two of which recommended doing some of the cybersecurity measures for HHS Protect and another that did the same for TeleTracking. Until November 2, the IG had defended its recommendations.
“We are unable to provide any further details at this time as the additional audit work is ongoing and the OIG is not discussing the details of the ongoing work,” the IG spokesman said Yvonne Gamble said.
Although IG concluded that only the teletracking portion of the report contained inaccuracies, “auditing standards require that we void the entire report in such circumstances,” Gamble said.
There was also no connection between the fulfillment of The Post’s FOIA request and the revocation, which occurred on the same day. said Gamble.
“The two events are unrelated,” Gamble said. “HHS provided information and documentation to OIG after the audit was completed. The revocation is based on the analysis of this new information and interviews.”
Researchers say the newly discovered hack could be the work of a government contractor
The hackers, which researchers at SentinelOnes called SentinelLabs Metador, targeted a Middle Eastern telecommunications company, a journalist Kim Zetter reports. But the campaign left researchers speculating about who was behind the hack, with SentinelLabs’ senior director Juan Andrés Guerrero Saade Speculation that it could be a contractor working for a country.
“Who might be behind the activity, SentinelOne says there isn’t enough evidence to determine,” Zetter writes. “However, based on some insights in the code, some of the operators and developers appear to be native speakers of English, while others appear to speak Spanish. In addition, the build times for some of the malicious components indicate that the developers may be based in the UTC+1 time zone. The latter includes many nations, but that includes Britain and Spain.”
Health apps share health concerns and identifiers with advertising companies
Popular Android health apps give advertisers information they need to market to people because of their health conditions, Tatum Hunter and Jeremy B. Merrill Report. Users have few digital privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA), and people consent to the apps’ practices by accepting their jargon-filled privacy policies.
Most data does not directly identify individuals, but some is shared using “identifiers,” which are strings of numbers associated with devices.
“But privacy experts say that sending user identifiers along with keywords from the content we visit puts consumers at unnecessary risk,” write Tatum and Jeremy. “Large data collectors such as brokers or advertisers could piece together an individual’s behavior or concerns using multiple pieces of information or identifiers. This means that ‘depression’ could become another data point that helps companies target or profile us.”
Jamal Khashoggi’s wife sues NSO Group over Pegasus spyware (The Guardian)
“You’re Watching”: Inside Russia’s Vast Surveillance State (The New York Times)
Cyber attack steals passenger data from Portuguese airline (Associated Press)
Alleged Chinese hackers target Tibetan media and politicians (Bloomberg News)
Proton CEO shuts down Indian VPN servers to protest cybersecurity rules (The Wall Street Journal)
Twitter Announces Users Were Not Logged Out of Accounts After Password Reset (TechCrunch)
Denver suburb won’t spew out millions of ransomware attacks that shut down City Hall (The Denver Post)
Montana Breaks New Ground With Facial Recognition In Schools (Montana Public Radio)
New review examines NSA and Cyber Command ‘dual hat’ structure (The Record)
NSA Shares Guidance on Securing Critical OT/ICS (Bleeping Computer) Infrastructure
Senators Wyden and Warren urge NTIA to protect “highly sensitive” domain registration information (The Record)
Convicted Twitter spy says US hid whistleblower report (Bloomberg News)
- Microsoft Chief Information Security Officer Bret Arsenault discusses cloud innovation and security at a live Washington Post event Wednesday at 9 a.m
- The House Science Committee is holding a hearing on artificial intelligence Thursday at 10:30 a.m
- The US Naval Institute is hosting an event on cyber threats and disinformation Thursday at 10:30 a.m
- repetitions. Frank Pallone Jr. (DN.J.) and Cathy McMorris Rodgers (R-Wash.), top members of the House Energy and Commerce Committees, will discuss privacy laws at a live Washington Post event Thursday at 11 a.m
Thank you for reading. Until next week.