Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Some HHS Requirements for Vetting Mobile Apps Were Not Followed Prior to the Release of the AHRQ Question Builder App

Issued on  | Posted on  | Report number: A-18-22-09008

Report Materials

Why OIG Did This Audit

  • HHS and its operating divisions offer mobile applications (apps) to deliver services and information to people.
  • Security vulnerabilities that may exist in HHS mobile apps could be potentially exploitable and lead to compromise of the underlying mobile device or sensitive data on the device or connected cloud systems.
  • The Agency for Healthcare Research and Quality (AHRQ) Question Builder app’s purpose is to help patients and caregivers prepare for and get the most out of medical appointments.
  • We assessed the app’s cybersecurity controls between March and April 2022 to determine whether AHRQ followed required security standards and policies for developing and vetting the mobile app before it was released.

What OIG Found

  • The AHRQ Question Builder app had cybersecurity controls that were generally effective in preventing our simulated cyberattacks.
  • The AHRQ Question Builder app did not comply with a National Institute of Standards and Technology security control to provide only the necessary functionality for an app to operate.
  • AHRQ’s Mobile Application Development Policy did not include all standards and requirements that project officers must follow before submitting a mobile app to an app store.

What OIG Recommends

We made three recommendations to AHRQ, including that it reassess the Question Builder app to determine if unnecessary functionality should be removed or disabled and update the AHRQ Mobile Application Development Policy to include requirements related to least functionality and secure coding. The full recommendations are in the report.

In written comments on our draft report, AHRQ indicated that it agreed with our findings and described actions it has taken and plans to take to address our recommendations.

25-A-18-027.01 to AHRQ - Open Unimplemented
Update expected on 06/16/2025
We recommend that the Agency for Healthcare Research and Quality reassess the Question Builder app to determine if the unnecessary functionality and privileges built into the app can and should be removed or formally assess, document, and accept the risk of not removing them.

25-A-18-027.02 to AHRQ - Open Unimplemented
Update expected on 06/16/2025
We recommend that the Agency for Healthcare Research and Quality update the AHRQ Mobile Application Development Policy to require project officers and app developers to assess AHRQ mobile apps for unnecessary or unused functionality and remove or disable such functionality where feasible before submitting it to an app store and establish a procedure to ensure adherence to these requirements.

25-A-18-027.03 to AHRQ - Open Unimplemented
Update expected on 06/16/2025
We recommend that the Agency for Healthcare Research and Quality update the AHRQ Mobile Application Development Policy to require vetting the security of all AHRQ mobile apps for compliance with the HHS secure coding policy requirements and correcting any security vulnerabilities identified before releasing a mobile app to app stores for public use and establish a procedure to ensure adherence to these requirements

View in Recommendation Tracker
Report Type
Audit
HHS Agencies
Agency for Healthcare Research and Quality
Issue Areas
Departmental Operational Issues Information Technology and Cybersecurity
Target Groups
-
Financial Groups
-

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.