GAO urges HHS to strengthen cybersecurity oversight

Editor's Note

A November 13 report from The Government Accountability Office (GAO) identifies critical gaps in the Department of Health and Human Services' (HHS) ability to manage cybersecurity risks in the healthcare and public health sector.

HHS, the lead federal agency for cybersecurity in this sector, faces challenges in monitoring the adoption of best practices, evaluating support effectiveness, and addressing sector-wide vulnerabilities, the office reports. Key takeaways include:

• Cyber threats are escalating. Cyberattacks in the healthcare sector are on the rise, with a notable February 2024 ransomware attack on Change Healthcare leading to $874 million in losses and widespread disruptions. These incidents underscore the urgent need for stronger cybersecurity measures.
• Practice implementation is questionable.  HHS oversees healthcare organizations' adoption of the National Institute of Standards and Technology Cybersecurity Framework. However, a January 2024 report revealed that although hospitals have adopted 70.7% of the framework's functional areas, HHS lacks comprehensive tracking for ransomware-specific practices. “Without full awareness of the sector's adoption of cybersecurity practices, HHS risks not directing resources where needed,” GAO points out.
• Assessments are lagging. Although HHS provides resources such as training and threat briefings, the organization has not evaluated the effectiveness of this support. Without assessing which supports work best, HHS may fail to address gaps in communication and coordination effectively. Similarly, HHS’s ongoing efforts for medical device cybersecurity do not include comprehensive risk assessment for Internet of Things (IoT) and operational technology (OT) devices.
• Collaboration must improve. HHS’s Administration for Strategic Preparedness and Response (ASPR) leads working groups to improve cybersecurity. However, it lacks consistency in monitoring progress, clarifying roles, and updating collaborative practices. These gaps hinder effective sector-wide collaboration.
• Cybersecurity requirements conflict. The Centers for Medicare and Medicaid Services (CMS) has cybersecurity policies that sometimes conflict with other federal agencies, creating inefficiencies for state officials managing cybersecurity efforts.

Without progress on improving monitoring and evaluation, implementing comprehensive risk assessment, enhancing collaboration, and better aligning policies with other agencies, HHS risks failing to fulfill its cybersecurity leadership role, GAO reports.