OIG audit reveals web app security weaknesses at large hospital

The HHS Office of Inspector General, or OIG, identified web application security gaps at a large, unnamed Southeastern hospital in a recent audit. OIG analyzed four internet-accessible web applications used by the hospital and identified gaps in authentication and validation controls. The audit serves as a reminder to healthcare organizations to improve web app security controls to further reduce cybersecurity risk.

OIG's objective was to determine whether the hospital had implemented proper cybersecurity controls to prevent cyberattacks, ensure continuity of patient care and protect Medicare enrollee data. The audited hospital has more than 300 beds and is part of a network of providers that share protected health information for treatment, payment and healthcare operations.

Before exploring the hospital's security weaknesses, OIG identified several strengths. For example, the hospital had implemented backup strategies, incident response and disaster recovery controls to ensure continuity of care in the event of a cyberattack. The hospital also implemented controls that effectively prevented and detected most of the simulated cyberattacks that OIG conducted during the audit.

However, OIG identified a few notable gaps that could allow cyberattacks to persist. For example, through its simulated phishing attacks, BreakPoint Labs (the company with which OIG contracted to conduct tests of the hospital's systems) successfully captured a user's login credentials.

The credentials allowed the testers to gain access to the hospital's account management web application, since it had not designed and implemented strong enough user identification and authentication (UIA) controls for the application.

"Weak UIA controls could allow malicious threat actors to compromise web application authenticators (e.g., username and password) or manipulate the web application's functionality, elevate their privileges within the system, and extract sensitive data from the application database," the report noted.

"To our knowledge, the systems we were able to exploit did not contain patient information. However, threat actors could have used the user account information gathered from within the application to perform more targeted social engineering campaigns and attacks to find exploitable weaknesses in critical administrative or clinical systems on the Entity’s network."

Additionally, OIG found that one of the four web applications it tested had a security weakness in its input validation controls that allowed manipulation of the application. This vulnerability existed because the hospital had not conducted effective vulnerability testing for the web application, and the application was not behind a web application firewall.

"Without the effective testing of web applications and effective WAF protection, input validation vulnerabilities in the Entity’s other web applications could have been exploited," the report noted. "Such exploitation could lead to the execution of malicious code or manipulation of web applications."

As a result of these weaknesses, OIG recommended that the hospital implement stronger UIA controls for the account management web application, periodically update user identification and authentication controls across the entity's systems and assess all web applications to determine whether any need an automated technical solution, such as a firewall, implemented to add an additional layer of security.

What's more, OIG recommended that the hospital use a wider array of security testing tools and techniques, such as dynamic application testing tools and manual, interactive testing, in order to better detect vulnerabilities in web applications.

The hospital concurred with all of OIG's recommendations and took steps to address them by deploying web application firewalls, adopting a "defense in depth" strategy to mitigate compromised user identifications, and enhancing attack surface management capabilities.

Jill Hughes has covered healthcare cybersecurity and privacy news since 2021.