GAO: HHS Has Failed to Act on Security RecommendationsWatchdog Report Spotlights Steps Agency Has Not Yet Taken
The Department of Health and Human Services has yet to implement dozens of "high priority" recommendations, including several related to enhancing its cybersecurity and reducing the risk of fraud, according to a new report from a watchdog agency that made the recommendations.
The Government Accountability Office says it has made more than three dozen "high priority" recommendations to HHS over the last four years that have yet to be implemented. Those include at least seven related to health information technology and cybersecurity as well as several others related to efforts aimed at reducing fraud risk, including at the Centers for Medicare and Medicaid Services.
For example, HHS still lacks a complete cybersecurity risk management strategy that includes key risk-related elements, such as a statement of risk tolerance and information on how the agency intends to assess, respond to and monitor cybersecurity risks
Risk to Data
GAO's high-priority recommendations on security generally deal with vulnerabilities that pose the greatest risk to health information, says privacy attorney David Holtzman of the security consultancy CynergisTek.
"In the case of HHS and its family of federated agencies, failure to come up with solutions to these gaps have real-world consequences that put the personally identifiable information or sensitive government internal documents at risk of unauthorized disclosure," he says.
Some private-sector organizations face similar challenges in implementing risk management priorities, says privacy attorney Kirk Nahra of the law firm WilmerHale.
"For a private-sector company, the risk of failing to fix these things can mean a security breach, litigation and potential enforcement," Nahra says. "These companies also make good faith efforts - typically - to do what they can within their reasonable resources. The dynamics of those risks obviously are different for a government agency."
The GAO write in its report: "Serious cybersecurity threats to the infrastructure continue to grow and represent a significant national security challenge."
The seven recommendations on cybersecurity and health IT that HHS has not yet carried out would ensure that:
- HHS has a cybersecurity risk management strategy that includes key risk-related elements;
- CMS develops processes and procedures to ensure that researchers and other qualified entities have implemented information security controls effectively throughout their data access agreements with CMS;
- Progress is made toward the implementation of IT enhancements needed to establish the electronic public health situation awareness network.
GAO notes that in July 2019, it recommended that HHS develop a cybersecurity risk management strategy and establish a process for conducting an organizationwide cybersecurity risk assessment.
"HHS reported in January 2020 that the department was drafting a new cybersecurity risk management memo that will provide additional details of its cybersecurity risk management strategy," GAO says. "HHS also reported that this updated risk management strategy would include defining a process for conducting an organizationwide cybersecurity risk assessment. To fully address our recommendations, HHS must ensure that its strategy includes key elements, including a statement of risk tolerance and information on how the agency intends to assess, respond to and monitor cybersecurity risks."
HHS also needs to establish a risk-assessment process to allow the agency to "consider the totality of risk derived from the operation and use of its information systems," according to the report.
Reducing Fraud Risk
When it comes to reducing fraud risk, GAO notes, for example, that CMS has not yet strengthened its online identity verification processes.
GAO notes that in a May 2019 report, it called upon CMS "to develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques."
In a February 2020 response to that recommendation, HHS stated that current National Institute of Standards and Technology guidance to agencies was insufficient and that CMS would look to future guidance from NIST and the Office of Management and Budget "to help guide consideration of non-knowledge-based verification options," GAO writes.
But GAO notes that it "continues to believe" its recommendation is valid "because a variety of alternative methods to knowledge-based verification are available that CMS can consider to address the diverse population it serves. ... Until CMS takes the needed steps to strengthen its online identify verification processes, individuals who rely on such processes will remain at risk for identity fraud."
Many government agencies fail to take prompt action to carry out GAO recommendations, Nahra notes.
"There certainly may be things that GAO identifies, that an agency hadn't known about before, that may trigger a prompt response, but more commonly these are put on a list of things to think about when one gets to it," he says.
HHS did not immediately respond to an Information Security Media Group request for comment.
Private Sector Challenges
GAO's unimplemented recommendations to HHS mirror similar security risk challenges in the private sector.
For instance, healthcare entities sometimes fail to implement important security risk management moves, including risk mitigation steps that get red flagged following a security risk analysis.
"The security risk analysis is often not done or not done correctly, as evidenced by the corrective action plans after HHS Office for Civil Rights investigates a large data breach," notes Susan Lucci, senior privacy and security consultant at consultancy tw-Security.
That inaction could be related to staffing and budget shortages, she says. "Add on top of that, the fact that some remediation efforts have high associated costs, and organizations must choose to 'accept' some of the risks until budget can be allocated to close the gap. With all the places where confidential information resides, it is extremely difficult to reduce most risks that cybercriminals will not find a new way to exploit."
Clyde Hewitt, executive adviser at CynergisTek, notes that "risk fatigue and risk inflation appear to be contributing factors" to inaction on security. "We have had 'high risk' for 20 years, but today's 'high' has a much higher adverse impact than the misdirected fax we experienced in 2003."