OIG: CMS’ Wireless Network Has Significant Vulnerabilities

CMS’ wireless network has significant vulnerabilities, the Office of Inspector General (OIG) said in a recent report.

Between August and December 2015, the OIG performed wireless penetration testing at 13 CMS data centers and facilities. The tests simulated the tools and techniques hackers commonly use to gain access to wireless networks. CMS’ security controls were able to prevent certain attacks, but the OIG found four vulnerabilities in the agency’s wireless network security. The vulnerabilities were collectively, and in some cases individually, significant, the OIG said. The OIG did not identify the specific vulnerabilities or methods that could be used to exploit them, but said that the vulnerabilities could have resulted in unauthorized access to and disclosure of personally identifiable information and damage the integrity and availability of CMS’ data.

The vulnerabilities are the result of improper configurations and failure to complete necessary upgrades, CMS said. The agency was aware of these issues and was reportedly taking action to address them.

The OIG recommended that CMS address all identified vulnerabilities and CMS agreed. However, the agency commented that it had decided to accept some of these risks.