GAO: HHS Continues to Have Challenges Carrying out its Cybersecurity Responsibilities
A recent U.S. Government Accountability Office (GAO) report has warned that the Department of Health and Human Services (HHS) is continuing to have challenges addressing threats to critical healthcare infrastructure and is not fully carrying out its cybersecurity responsibilities as the lead agency for healthcare cybersecurity, as has been highlighted in several previous GAO reports. In those reports, GAO made key recommendations that have still not been fully implemented, including recommendations made as early as 2020.
The healthcare and public health sector (HPH) has been extensively targeted by cybercriminal groups in recent years and ransomware attacks continue to cause massive disruption across the sector. The latest data from the HHS’ Office for Civil Rights breach portal indicate a slight decline in cyberattacks from last year, but more patient records have already been exposed or stolen in 2024 than in any other year to date. This year saw the largest-ever healthcare data breach from a ransomware attack on Change Healthcare, which caused massive disruption to healthcare providers across the country. The attack has resulted in hundreds of millions of dollars in losses and involved the theft of the protected health information of around 100 million Americans.
A January 2024 GAO report indicates the HHS has implemented several initiatives to reduce cybersecurity and ransomware risks across the HPH sector. An HHS analysis of cybersecurity at U.S. hospitals suggested that participating hospitals had implemented around 70.7% of the functional areas of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (identify, detect, protect, respond, recover); however, the HHS was not yet tracking adoption of the cybersecurity practices detailed in the framework for mitigating ransomware attacks.
HHS officials explained to GAO that they were tracking the adoption of key practices in the NIST Cybersecurity Framework, but the HHS was unable to provide evidence of those efforts. If the HHS is not fully aware of how cybersecurity practices are being adopted across the HPH sector, the HHS is at risk of failing to direct resources to where they are most needed. GAO recommended that the HHS work with the Cybersecurity and Infrastructure Security Agency (CISA) to determine the adoption of ransomware-specific practices across the sector.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HHS provides support to the HPH sector through guidance documents, threat briefings, analyst notes, and other means to help the HPH sector mitigate ransomware risks; however, the HHS has not yet implemented a January 2024 GAO recommendation that the HHS should assess the effectiveness of the support it provides and is therefore unaware of the types of support that are most effective at reducing ransomware-related risks.
GAO recommended the HHS work with CISA to develop evaluation procedures to measure the effectiveness of the cybersecurity support it provides. The HHS will then be able to concentrate on providing the most effective support to the sector. Another area of concern relates to Internet of Things (IoT) and operational technology (OT) devices, which are heavily relied on by the sector for providing essential healthcare services. A December 2022 GAO report confirmed that the HHS had ongoing risk activities for medical devices but had not conducted a comprehensive sector-wide risk analysis for all IoT and OT devices. Two years on and that recommendation has still not been implemented.
The HHS is responsible for coordinating and collaborating on sector cybersecurity, and while the Administration for Strategic Preparedness and Response (ASPR) was leading or co-leading several groups that are focused on supporting the HPH sector, GAO found several areas of weakness. ASPR was not consistently or fully monitoring the groups’ progress toward meeting goals and had not clarified the specific roles of those groups. ASPR was also not regularly updating the charter to describe how the groups should collaborate. GAO recommended that ASPR take action to address those areas of weakness.
A May 2020 GAO report highlighted issues the HHS’ Centers for Medicare and Medicaid Services (CMS) had with parameters that conflicted with those established by other federal agencies such as the Social Security Administration. For instance, agencies were defining different values for the number of consecutive unsuccessful log-on attempts before a user was locked out. If these conflicts are not resolved, they place an unnecessary burden on state officials’ time and resources. GAO recommends the CMS solicit input from other federal agencies on revisions to security policies to address those areas of conflict.
GAO said that until the HHS implements all previous cybersecurity-related recommendations it risks not being able to effectively carry out its responsibilities as the lead agency for HPH critical infrastructure, which has the potential to have an adverse effect on healthcare providers and patient care.
