Latest News

GAO report: HHS facing challenges as lead agency for health care cybersecurity

Written on Nov 22, 2024

The HHS has faced challenges mitigating cybersecurity risks in the health care sector, according to a report published by the Government Accountability Office (GAO).  

The department hasn’t implemented policies previously recommended by the government watchdog, including tracking industry adoption of ransomware-specific cyber practices or assessing risks from internet of things or operational technology devices. 

Until the HHS fills those gaps, the department could be unable to effectively lead the industry in cybersecurity — a potential risk for providers and patient care, according to the GAO. 

Despite the HHS’ stated efforts to limit the sector’s cyber risks, the department hasn’t put in place policies that could help the industry improve its security. 

The report comes as the health care sector is facing a growing scourge of cyberattacks and data breaches, including the high-profile cyberattack on UnitedHealth-owned technology firm and claims processor Change Healthcare earlier this year. 

Regulators found several examples where they say the HHS faced challenges mitigating risks. 

In one, the HHS said hospitals reported adopting nearly 71% of practices under the National Institute of Standards and Technology Cybersecurity Framework to detect, respond to and recover from cyberattacks. 

But the GAO noted the department wasn’t tracking the framework’s specific standards for ransomware, a type of malware that denies users access to their data that has become an increased threat to health care organizations.  

“Although HHS officials told us that they would be able to assess implementation of key concepts in the framework, the department did not provide evidence of its efforts to do so,” the GAO wrote. “Without full awareness of the sector’s adoption of cybersecurity practices, HHS risks not directing resources where needed.” 

The agency added that the HHS hasn’t evaluated the effectiveness of its support tools, like guidance documents, training and threat briefings. 

It also hasn’t conducted an industrywide assessment of risks from internet of things or operational technology devices. IoT refers to technologies that allow for network connection and interaction between a range of devices, while operational technologies are systems that interact with a physical environment. 

Without an assessment, the HHS won’t know what new security measures are necessary to address evolving threats, the GAO said.  

Meanwhile, the CMS established cyber requirements to protect data it shares with state agencies, but those standards conflicted with other federal agencies that work closely with states, such as the Social Security Administration. 

“The conflicting parameters can place an unnecessary burden on state officials’ time and resources,” the watchdog wrote in the report. “This in turn could lead to reduced attention on other important cybersecurity efforts.”