Report Materials
Why OIG Did This Audit
- HHS and its operating divisions offer mobile applications (apps) to deliver services and information to people.
- Security vulnerabilities that may exist in HHS mobile apps could be potentially exploitable and lead to compromise of the underlying mobile device or sensitive data on the device or connected cloud systems.
- The Agency for Healthcare Research and Quality (AHRQ) Question Builder app’s purpose is to help patients and caregivers prepare for and get the most out of medical appointments.
- We assessed the app’s cybersecurity controls between March and April 2022 to determine whether AHRQ followed required security standards and policies for developing and vetting the mobile app before it was released.
What OIG Found
- The AHRQ Question Builder app had cybersecurity controls that were generally effective in preventing our simulated cyberattacks.
- The AHRQ Question Builder app did not comply with a National Institute of Standards and Technology security control to provide only the necessary functionality for an app to operate.
- AHRQ’s Mobile Application Development Policy did not include all standards and requirements that project officers must follow before submitting a mobile app to an app store.
What OIG Recommends
We made three recommendations to AHRQ, including that it reassess the Question Builder app to determine if unnecessary functionality should be removed or disabled and update the AHRQ Mobile Application Development Policy to include requirements related to least functionality and secure coding. The full recommendations are in the report.
In written comments on our draft report, AHRQ indicated that it agreed with our findings and described actions it has taken and plans to take to address our recommendations.
Notice
This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.