A federal watchdog has warned that the U.S. Department of Health and Human Services must urgently act on decades-old cybersecurity and IT recommendations.
The U.S. Government Accountability Office (GAO) has sent a formal letter to Clark Minor, Chief Information Officer of the Department of Health and Human Services (HHS), outlining 82 open cybersecurity and IT management recommendations that remain unaddressed. These include 37 sensitive items and one marked as a priority.
The recommendations are part of GAO’s High-Risk focus areas, either to ensure national cybersecurity or improve federal IT acquisition and oversight. The letter states that without progress, HHS remains vulnerable to cyber threats and operational inefficiencies.
Several of the unresolved recommendations stem from longstanding system deficiencies. GAO called out HHS for failing to implement activity logging, despite its own Office for Civil Rights penalizing external entities for similar lapses under HIPAA. Until addressed, HHS risks being unable to properly detect, investigate, and respond to cyber threats across its networks.
GAO also noted that HHS has not posted digital access and consent forms on its privacy program website, a move required to safeguard personal records. The agency warned that the lack of such protections increases the likelihood of improper disclosures.
On the IT asset side, HHS has not completed an inventory of its Internet of Things (IoT) devices, leaving gaps in device visibility and control. This hampers its ability to mitigate cybersecurity risks tied to connected medical and operational equipment.
Beyond cybersecurity, GAO also indicated HHS’ delays in developing a work plan for a nationwide biosurveillance network, a necessary tool for public health readiness during outbreaks.
GAO warned that without full implementation of the outstanding recommendations, HHS will continue to lack the visibility, governance, and safeguards necessary for mission-critical systems. The agency also noted overlapping recommendations from the HHS Office of Inspector General, especially around Federal Information Security Modernization Act (FISMA) requirements.
A spokesperson for HHS said that CIO Clark Minor, who joined the department earlier this year, has already made progress in addressing several of the issues.
GAO is an independent agency that audits federal programs and provides recommendations to improve performance, including in cybersecurity and IT management.
Without a full inventory of connected devices, agencies like HHS cannot monitor, secure, or manage potential vulnerabilities across their network.
FISMA is a U.S. law requiring federal agencies to implement strong information security programs. GAO and agency Inspectors General monitor compliance with its standards.