HHS-OIG Report Highlights Key HHS Cybersecurity Challenges
The U.S. Department of Health and Human Services Office of Inspector General has published its annual report on the Top Management and Performance Challenges Facing HHS to help the department improve the effectiveness and efficiency of its programs. The report highlights some of the cybersecurity challenges faced by HHS, including a lack of standardized governance and controls, which complicates HHS’s preparedness efforts to prevent and respond to cybersecurity threats.
The HHS is a large department with disparate organizational approaches to cybersecurity across its various divisions and programs. While the department has taken steps to consolidate cybersecurity functions and improve cybersecurity, HHS-OIG says overall progress is often still dependent on each division and program. In addition, the HHS has an army of contractors, grantees, and other external entities that number in the thousands. Cybersecurity solutions must be implemented within the HHS, but also by each contractor, grantee, and external entity. That makes cybersecurity improvements especially challenging, and the ability of the HHS to mitigate cybersecurity threats is often dependent on those entities implementing cybersecurity solutions specific to their operations. “Protecting technology and data requires broader efforts beyond implementing technical fixes, such as establishing clear expectations; modernizing program rules; and conducting effective oversight of the Department’s contractors, grantees, and other external entities,” HHS-OIG said.
The healthcare sector remains a key target for cyber actors. Ransomware attacks continue in volume, as financially motivated threat actors encrypt and steal data to use as leverage to obtain ransom payments. Cyberattacks are growing in sophistication and are continually evolving, and the HHS must be able to respond quickly, alert the sector about vulnerabilities under exploitation, and help prepare the sector for evolving threats.
The HHS plays a key role in improving cybersecurity across the sector and responding to threats, yet the diffuse nature of HHS cybersecurity authorities and responsibilities is complicating HHS’s response efforts. The HHS has limited resources for improving cybersecurity across the healthcare and public health sector, such as the sector’s reliance on legacy technology and workforce challenges. Further, privacy and security are governed by HIPAA, which is more than two decades old. HHS-OIG warned that the HIPAA Privacy Rule and the HIPAA Security Rule may not be sufficient to address contemporary privacy concerns and the increasing cybersecurity risks to electronic protected health information. As such, HHS-OIG said the HHS must adapt as privacy and security needs evolve.
HHS OIG Exclusions List
What You Need To Know
Get The 6 Essentials Checklist For Compliance Officers
A link to your download will be sent to your email address
Your Privacy Respected
HIPAA Journal Privacy Policy
Further regulation could help in this regard; however, the HHS has been slow to enact updates to the HIPAA Rules. A Privacy Rule update was proposed by HHS under the previous Trump administration in late 2020, yet a final rule has still not been published more than five years after the update was first proposed. The update is still on the HHS’s agenda, but there has been no indication when a final rule will be published. An extensive update to modernize the HIPAA Security Rule to strengthen cybersecurity across the sector was proposed in the final days of the Biden administration. While there is an urgent need to improve cybersecurity across the sector, it is currently unclear if the HHS, under the Trump administration, plans on implementing the proposed rule.
HHS-OIG said the HHS has taken action to address the challenges it highlights in the report, but there are considerable opportunities for further progress, and until the HIPAA Rules are updated, HHS must continue to work within the statutory authorities established by HIPAA in 1996, the HIPAA Privacy Rule in 2000, and the HIPAA Security Rule in 2003.
