HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations

Share this article on:

The U.S. Department of Health and Human Services has been slow to implement cybersecurity recommendations made by the Government Accountability Office. In total, 392 recommendations have yet to be addressed, including 42 which GAO rated as high priority.

Over the past four years, GAO has made hundreds of recommendations, but the HHS has only addressed 75% of them, 2% less than other government agencies.

The poor implementation rate was outlined in a March 28, 2019 letter from the GAO to HHS secretary Alex Azar.

GAO explained that healthcare is part of the nation’s critical infrastructure and relies heavily on computerized systems and electronic data to function. Those systems are regularly targeted by a diverse range of threat actors, so it is essential they are secured and protected from unauthorized access.

GAO drew attention to four high priority recommendations covering health IT and cybersecurity that are still outstanding.

“The four open priority recommendations within this area outline steps to ensure HHS can effectively monitor the effect of electronic health records programs and progress made toward goals; encourage adoption of important cybersecurity processes and procedures among healthcare entities; protect Medicare beneficiary data accessed by external entities; and ensure progress is made toward the implementation of IT enhancements needed to establish the electronic public health situation awareness network,” wrote GAO in the letter.

GAO explained that in March 2018, it recommended that the administrator of Centers for Medicare and Medicaid Services (CMS) should develop and implement policies and procedures to ensure entities that use claims data should evaluate the performance of Medicare service and equipment providers and ensure they have implemented appropriate security controls.

While CMS has agreed to engage a contractor to review the current data security framework and provide recommendations on specific controls and implementation requirements, GAO notes that CMS must also develop appropriate processes and procedures for implementing those controls.

Three other high priority health IT and cybersecurity recommendations have yet to be implemented.

The HHS has yet to develop performance measures that allow it to assess whether the Meaningful use program (now the Promoting Interoperability Program) is actually improving outcomes and patient safety.

GAO recommended in 2018 that the HHS and the Secretary of Agriculture should collaborate with the Department of Homeland Security and NIST and develop methods for determining the level and type of cybersecurity framework adoption required to improve the critical infrastructure of the healthcare industry. While some work has been completed in this area, GAO wrote that the HHS is still trying to identify applicable methods 12 months on.

GAO also recommended that the HHS should instruct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes when establishing the network and should act under the leadership of the HHS CIO. GAO notes that little has been done to enhance national public health situational awareness network capabilities that would allow officials to view real-time information about emerging health threats.

GAO explained that it is essential for these and other recommendations to be implemented promptly. Further, GAO believes that fully implementing all of its recommendations will significantly improve HHS operations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On