Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Some HHS Requirements for Vetting Mobile Apps Were Not Followed Prior to the Release of the AHRQ Question Builder App

Issued on  | Posted on  | Report number: A-18-22-09008

Why OIG Did This Audit

  • HHS and its operating divisions offer mobile applications (apps) to deliver services and information to people.
  • Security vulnerabilities that may exist in HHS mobile apps could be potentially exploitable and lead to compromise of the underlying mobile device or sensitive data on the device or connected cloud systems.
  • The Agency for Healthcare Research and Quality (AHRQ) Question Builder app’s purpose is to help patients and caregivers prepare for and get the most out of medical appointments.
  • We assessed the app’s cybersecurity controls between March and April 2022 to determine whether AHRQ followed required security standards and policies for developing and vetting the mobile app before it was released.

What OIG Found

  • The AHRQ Question Builder app had cybersecurity controls that were generally effective in preventing our simulated cyberattacks.
  • The AHRQ Question Builder app did not comply with a National Institute of Standards and Technology security control to provide only the necessary functionality for an app to operate.
  • AHRQ’s Mobile Application Development Policy did not include all standards and requirements that project officers must follow before submitting a mobile app to an app store.

What OIG Recommends

We made three recommendations to AHRQ, including that it reassess the Question Builder app to determine if unnecessary functionality should be removed or disabled and update the AHRQ Mobile Application Development Policy to include requirements related to least functionality and secure coding. The full recommendations are in the report.

In written comments on our draft report, AHRQ indicated that it agreed with our findings and described actions it has taken and plans to take to address our recommendations.


-
-