GAO report reveals gaps in HHS cybersecurity policies, raising concerns about the healthcare sector's preparedness against cyber threats.
According to a recent report, the US Department of Health and Human Services (HHS) has yet to implement cybersecurity policies recommended by the Government Accountability Office (GAO). These gaps include monitoring the healthcare sector's adoption of ransomware-specific practices and evaluating risks tied to the Internet of Things (IoT) and operational technology (OT) devices. The report cautions that without addressing these issues, HHS may face challenges in effectively guiding the healthcare sector to mitigate cybersecurity risks, potentially endangering patient care and provider operations.
The GAO report discusses several areas where HHS has fallen short in addressing cybersecurity challenges. For example, the department has reported that hospitals have adopted nearly 71% of practices outlined in the National Institute of Standards and Technology Cybersecurity Framework. However, it has not tracked the adoption of ransomware-specific standards—despite ransomware being a growing threat to healthcare organizations.
The watchdog also noted that HHS has not evaluated the effectiveness of its cybersecurity support tools, such as guidance documents, training, and threat briefings. Additionally, the department has not conducted an industry-wide assessment of risks posed by IoT and OT devices, which are increasingly integrated into healthcare systems.
The GAO report further criticized conflicting cybersecurity requirements issued by different federal agencies. For instance, the Centers for Medicare and Medicaid Services (CMS) established cyber standards for data shared with state agencies that conflict with guidelines from the Social Security Administration. These discrepancies create inefficiencies for state officials, potentially diverting resources from other cybersecurity tasks.
The GAO report stressed the need to monitor and evaluate cybersecurity practices to ensure that resources are allocated efficiently. The report noted, “Without full awareness of the sector’s adoption of cybersecurity practices, HHS risks not directing resources where needed.” HHS, however, did not respond to the GAO’s findings.
As the healthcare sector faces an increasing frequency of cyberattacks, including a high-profile breach involving Change Healthcare earlier this year, the need for advanced cybersecurity measures has never been more urgent. The GAO report indicates that without tracking, evaluation, and coordination, HHS may fall behind in addressing the sector's cybersecurity challenges. This could expose providers, patients, and their data to heightened risks, making effective leadership in this area important to safeguarding the industry.
The GAO is a nonpartisan agency that provides auditing, evaluation, and investigative services to the U.S. Congress.
The GAO monitors and reports on how taxpayer dollars are spent, ensuring accountability and efficiency in government operations.
IoT refers to devices connected to the internet that collect, share, and act on data, such as smart home devices or wearable technology.
OT devices are hardware and software used to monitor or control industrial equipment, processes, and systems, like those found in factories or power plants.