25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

GAO: Federal Agencies Need to Enhance Oversight of Ransomware Practices

Posted By on Feb 13, 2024

The Government Accountability Office (GAO) has found that most federal agencies that manage risk for critical infrastructure sectors have assessed or plan to assess risks associated with ransomware, but they have not gauged the use of leading cybersecurity practices nor determined whether federal support has effectively managed risks in critical infrastructure sectors. Ransomware attacks have increased over the past few years and organizations in critical infrastructure sectors are being extensively targeted. According to the Department of the Treasury, the total value of ransomware attacks in the United States reached $886 million in 2021, up 68% from the previous year. Many of the attacks have been on healthcare organizations and have negatively affected patients by causing delays in treatment and diagnosis.

According to the Federal Bureau of Investigation (FBI), 870 critical infrastructure organizations were affected by ransomware attacks in 2022 and almost half of those attacks were on four critical infrastructure sectors – critical manufacturing, energy, healthcare and public health, and transportation systems. In February 2022, the National Institute of Standards and Technology (NIST) developed a framework for managing ransomware risk, which can be used by organizations to identify and prioritize opportunities for improving security and resilience against ransomware attacks. What is unclear is the extent to which the security practices recommended by NIST to combat ransomware have been implemented across critical infrastructure sectors.

GAO conducted a study to assess federal agency efforts to oversee sector adoption of leading federal practices and evaluate federal agency efforts to assess ransomware risks and the effectiveness of the support they have provided. GAO analyzed documentation related to reporting, risk analysis, and mitigation strategies and compared those efforts to NIST guidance on cybersecurity specific to ransomware. GAO found that the assessed Sector Risk Management Agencies (SRMAs) do not have reliable data on the extent to which the NIST recommendations have been implemented, and until such time that they have that knowledge, the White House’s goal of improving critical infrastructure’s resilience to withstand ransomware threats will be more difficult to achieve.

Most of the SRMAs assessed by GAO had already assessed or plan to assess the risks of cybersecurity threats such as ransomware for their respective sectors, as required by law, but only half of the agencies had evaluated aspects of the support they provided in their respective sectors and none had fully assessed the effectiveness of that support. GAO has made 11 recommendations to the Department of Energy (DoE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), and Department of Transportation (DoT). GAO recommended the Secretaries of the DoE, HHS, DHS, and DoT should coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) and determine the extent to which their sectors are adopting leading cybersecurity practices to combat ransomware. They should also develop and implement routine evaluation procedures that measure the effectiveness of federal support in helping reduce the risk of ransomware in their respective sectors.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The HHS agreed with the recommendations and believes that it has already met one of the recommendations, as it conducted an initial evaluation of the sector’s adoption of cybersecurity practices through prior efforts, such as its April 2023 Hospital Resiliency Landscape Analysis study to measure the adoption of recommended cybersecurity practices in hospitals, and it has developed a Risk Identification and Site Criticality Toolkit. GEO recognized the steps that have already been taken but said the HHS is not yet tracking the sector’s adoption of specific practices that reduce ransomware risk, therefore its recommendations still stand.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist