The Office of Inspector General (OIG) recently revealed it submitted CMS to “wireless penetration testing.” Don't worry, it’s not as bad as it sounds.
The testing,
known as pen testing in the industry, is a series of stress tests for a wireless system to see whether it can be hacked. To give you some idea, an advanced Wi-Fi pen testing workshop given at the Blackhat USA conference last year included modules such as "Attacking the WLAN Infrastructure - Rogues Devices, Evil Twins, DoS Attacks, MITM, Wi-Fi Protected Setup" and "Attacking the Wireless Client - Honeypots and Hotspot attacks, Caffe-Latte, Hirte, Ad-Hoc Networks and Viral SSIDs, WiFishing."
How’d CMS do? Although OIG pronounced CMS’ security controls “effective in preventing certain types of wireless cyberattacks” and did not report that they had successfully breached any of them, it nonetheless found “vulnerabilities” because of “improper configurations and failure to complete necessary upgrades that CMS previously identified and reported as having been currently underway.”
The report was short on details, which was to be expected. “It would be very interesting to learn the details of the OIG testing, and see if any of that can be extrapolated to medical clinics and offices,” says David Kibbe, president and CEO of DirectTrust, a network of health information service providers in Washington, D.C., and senior advisor to the American Academy of Family Physicians’ Alliance for eHealth Innovation.
CMS did reveal in its response to OIG that “the CMS Employee Wireless network requires two-factor authentication; the internal network can then only be accessed through a virtual private network (VPN) over the wireless connection.” The agency also revealed its Guest Wireless Network “is isolated from the internal network and the CMS Employee Wireless network,” and both networks “are continuously monitored and automatically block threats using a security prevention technology.” In other words, it sounds like pretty much any mid- to large-sized public-facing company with a decent IT department.
CMS said it “appreciates the OIG's suggestion of controls and processes that could be improved to further reduce or mitigate risk … and is in the process of addressing the remaining findings.”