Healthcare , Industry Specific , Standards, Regulations & Compliance
GAO: HHS Needs to Be a Better Leader in Health Sector Cyber
Watchdog Agency Report Points to Unimplemented Cyber RecommendationsThe U.S. Department of Health and Human Services needs to take important actions to do a better job of carrying out its duties as the lead federal agency responsible for strengthening cybersecurity in the healthcare and public health sector, said a new federal watchdog agency report.
See Also: How Overreliance on EDR is Failing Healthcare Providers
The Government Accountability Office report issued last week said HHS still has not yet implemented several of GAO's prior recommendations made in previous reports issued over the last four years, such as tracking the performance of several initiatives intended to mitigate ransomware risks for healthcare and public health.
"Nevertheless, our prior work has found that the department had not adequately monitored the sector’s implementation of ransomware mitigation practices," GAO said.
As an example, in January 2024, GAO reported that HHS released results of an analysis of U.S. hospitals’ cybersecurity.
"Among other things, the analysis found that participating hospitals had self-assessed that they had adopted 70.7% of the National Institute of Standards and Technology Cybersecurity Framework’s functional areas of identify, detect, protect, respond and recover," GAO wrote.
However, at the time of GAO's latest report issued last week, HHS still was not yet tracking adoption of the ransomware-specific practices outlined in the framework, the watchdog agency said.
"Although HHS officials told us that they would be able to assess implementation of key concepts in the framework, the department did not provide evidence of its efforts to do so. Without full awareness of the sector’s adoption of cybersecurity practices, HHS risks not directing resources where needed," GAO wrote.
Among other GAO recommendations in previous reports that HHS had still not implemented at the time of the GAO's latest report are:
- HHS, in coordination with the Cybersecurity Infrastructure and Security Agency and sector entities, should develop evaluation procedures to measure the effectiveness of its support in helping to reduce ransomware risk;
- HHS should conduct a comprehensive sectorwide cybersecurity risk assessment addressing IoT and OT devices and the level of risk these devices pose to the healthcare sector's cyber environment;
- HHS' Administration for Strategic Preparedness and Response should take action to fully and consistently demonstrate leading collaboration practices to improve cybersecurity;
- That HHS' Centers for Medicare and Medicaid Services should solicit input from relevant federal agencies on revisions to its security policy to ensure consistency across cybersecurity requirements for state agencies - and that CMS revise its assessment policies to maximize coordination with other federal agencies.
HHS did not immediately respond to Information Security Media Group's request for comment on the GAO findings.
Taking Action
Nonetheless, HHS has been taking various other actions to improve cybersecurity in the healthcare sector, GAO said.
Among those activities - although not cited specifically by GAO in the latest report - includes HHS trying to persuade entities to implement voluntary cybersecurity performance goals, as issued last December in a concept paper by the Biden administration.
HHS had also said it planned to mandate those CPGs for certain hospitals through potential financial incentives and penalties from CMS (see: HHS Details New Cyber Performance Goals for Health Sector).
But the Biden administration still has not issued those proposed regulations, and with the second Donald J. Trump administration taking over HHS on Jan. 20, it is increasingly unlikely those proposals will be issued before the transition to a new HHS leadership. Trump has named Robert F. Kennedy Jr. as his nominee to lead HHS, and Dr. Mehmet Oz, MD, as administrator for HHS' Centers for Medicare and Medicaid Services.
In the meantime, HHS' Office for Civil Rights is planning to publish by the end of the year a notice of proposed rulemaking to update the 20-year-old HIPAA Security Rule as part of the effort to shore up health sector cybersecurity (see: White House Reviewing Updates to HIPAA Security Rule).
The proposed rule, which HHS OCR said is under review by the White House Office of Management and Budget, will be open for 60 days of public comment before HHS decides to issue a finalized rule.
But that leaves the next phase of that rulemaking work to Trump's incoming HHS team, and it will be up to the new administration whether to move forward with HIPAA security rule updates.
As for GAO citing in its report HHS' work with CISA, the College of Healthcare Information Management Executives - a professional association of healthcare CISOs and CIOs - said there is a significant need for ongoing collaboration between HHS and CISA, and with the health sector.
Such collaboration is helpful to providers and other groups in the healthcare ecosystem, especially as the threat landscape becomes increasingly more complex to navigate, said Mari Savickis, who heads up CHIME's government relations.
"The most important thing for providers is having a single place to turn when they need access to resources or help navigating a cyber incident," she said. In fact, according to CHIME’s Most Wired survey data for 2024, 92% of those surveyed relied on information from CISA, she said.
In the meantime, Savickis said CHIME agrees with GAO's recommendation about the need for a sectorwide cyber risk assessment. "HHS has said they are undertaking this work but to date this has not been made public," she said.
"This information is needed to ascertain the entities in our healthcare ecosystem that are so large or integral that should they 'fail,' it would have cascading and negative impacts on a wide swath of the healthcare sector."