25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

GAO: HHS Yet to Implement 82 Cybersecurity and IT Management Recommendations

Posted By on Sep 16, 2025

The U.S. Government Accountability Office has written to Clark Minor, Chief Information Officer (CIO) of the U.S. Department of Health and Human Services, advising him about the current open cybersecurity and IT management recommendations that require his attention.

GAO is a non-partisan agency that works for Congress and provides support to ensure it meets its constitutional responsibilities and helps improve the performance and ensure the accountability of the federal government. GAO makes recommendations for improving the government’s performance in IT and related IT management functions, including recommendations for the HHS, yet many of those recommendations have yet to be implemented. In the letter, GAO explained that the HHS currently has 82 open recommendations involving high-risk cybersecurity and IT management issues.

GAO made the recommendations over several years, each relating to a GAO High-Risk area: Ensuring the Cybersecurity of the Nation or Improving IT Acquisitions and Management. Out of the 82 recommendations, at least 37 are considered sensitive, and one has been designated as a priority recommendation. GAO explained in the report that in order to secure the cybersecurity of the nation, the HHS needs to take additional steps to secure the records and information systems it uses to carry out its mission.

GAO had recommended that HHS establish a reasonable time frame for when it will be able to digitally accept access and consent forms from properly identity-proofed and authenticated individuals and post those forms on the department’s privacy program website. GAO has warned that until the recommendation is implemented, the HHS will not be able to adequately protect records from improper disclosure.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

HHS’ Office for Civil Rights investigations into potential HIPAA violations have resulted in financial penalties for organizations that have failed to maintain logs of activity in information systems containing ePHI, yet it hasn’t fully implemented effective logging of its own systems, as directed by the Office of Management and Budget. “Until HHS implements this recommendation, there is increased risk that the department will not have complete information from logs on its systems to detect, investigate, and remediate cyber threats,” warned GAO. HHS has also not yet implemented the recommendation that it should improve its incident response guidance, implementation, and oversight.

In the Improving IT Acquisitions and Management category, GAO has recommended that HHS improve its management and tracking of IT resources. For instance, the HHS had previously provided a revised time frame for completing its covered Internet of Things (IoT) inventory, but has still not completed the inventory. GAO warned that there is an enormous array of disparate devices that may be considered part of IoT, and those devices connect to HHS information systems. Until HHS has a complete inventory, it lacks visibility into the IoT devices within its environment, which will hamper its ability to mitigate IoT cybersecurity risks.

HHS had made little progress developing a work plan that includes specific actions to show progress in developing a public health situational awareness and biosurveillance network. Doing so will help to ensure that the HHS has comprehensive capabilities to allow a rapid and efficient response to an infectious disease outbreak. GAO also stressed to the HHS CIO that there are also outstanding recommendations from the HHS Office of Inspector General in the areas of cybersecurity and IT acquisitions and management, including requirements under the Federal Information Security Modernization Act of 2014, which must also be resolved.

Minor only joined the HHS in February and has served as CIO since May 2025. The HHS said in that short time, Minor has made steady progress toward ensuring the highest level of security and performance across its systems.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist