December 4, 2024

Flex Tech

Innovation in Every Curve

GAO highlights HHS struggles with cybersecurity as healthcare sector faces increased attacks

GAO highlights HHS struggles with cybersecurity as healthcare sector faces increased attacks

The U.S. Government Accountability Office (GAO) has identified challenges faced by the Department of Health and Human Services (HHS) in fulfilling its cybersecurity responsibilities. Strengthening HHS’s leadership could be achieved by implementing previous recommendations. Cyberattacks on the healthcare and public health sectors have surged in recent years. 

As the lead federal agency for the critical infrastructure sector, HHS has struggled with its cybersecurity duties and has not yet implemented all recommendations to address these issues. These responsibilities include coordinating with the Cybersecurity and Infrastructure Security Agency (CISA), the national coordinator for critical infrastructure security and resilience.

In February this year, Change Healthcare, a health payment processor, suffered a ransomware attack, resulting in data theft, US$874 million in losses, and significant disruptions to healthcare providers and patient care. This incident underscores HHS’s difficulties in managing sector cybersecurity. The department has yet to implement all recommended measures to address these issues.

HHS has launched initiatives to reduce ransomware risks in healthcare and public health. However, the GAO’s previous findings indicate that the department has not effectively monitored the sector’s implementation of these practices. In January this year, GAO reported that HHS published an analysis of U.S. hospitals’ cybersecurity. The analysis revealed that participating hospitals self-reported adopting 70.7 percent of the NIST Cybersecurity Framework’s key areas – identify, detect, protect, respond, and recover.

“However, at the time of our report, HHS was not yet tracking adoption of the ransomware-specific practices outlined in the framework,” the GAO said. “Although HHS officials told us that they would be able to assess the implementation of key concepts in the framework, the department did not provide evidence of its efforts to do so. Without full awareness of the sector’s adoption of cybersecurity practices, HHS risks not directing resources where needed.”

GAO recommended that HHS, in coordination with CISA and sector entities, determine the sector’s adoption of leading cybersecurity practices that help reduce ransomware risk.

The watchdog also found that HHS had not evaluated the effectiveness of the support it provides to the sector. Specifically, GAO reported that HHS provided various types of support, such as guidance documents, training, job aids, and threat briefings to help the sector manage ransomware risks. However, the department did not demonstrate that it evaluated which type of support would be the most effective. As a result, the department could not fully address concerns about communication, coordination, and timely sharing of threat and incident information. 

GAO suggested that HHS, in coordination with CISA and sector entities, develop evaluation procedures to measure the effectiveness of its support in helping to reduce ransomware risk.

When it comes to assessing sector cybersecurity risks, the GAO report noted that apart from IT, the healthcare sector also relies on Internet of Things (IoT) and operational technology (OT) devices and systems to provide essential healthcare and public health services. In December 2022, “we reported that HHS had ongoing risk activities for medical devices, a specific type of IoT device. However, HHS had not conducted a comprehensive sector-wide cybersecurity risk assessment addressing IoT and OT devices. As a result, the department did not know what additional security protections were needed to address growing and evolving threats,” GAO pointed out.

GAO proposed that HHS include IoT and OT devices as part of the risk assessments of the sector’s cyber environment. 

On coordinating and collaborating for sector cybersecurity, GAO assessed that within the HHS, the Administration for Strategic Preparedness and Response (ASPR) is responsible for leading collaboration efforts to strengthen the security and resilience of the sector. “In June 2021, we reported that ASPR was leading or co-leading several working groups focused on supporting the sector. In doing so, we determined that ASPR demonstrated most leading collaboration practices for those working groups.” 

However, it did not fully or consistently monitor the working groups’ progress towards meeting defined goals; clarify responsibilities for carrying out the groups’ roles, or regularly update the charter describing how the working groups are to collaborate. As a result, ASPR could not ensure that it was effectively collaborating to improve cybersecurity. GAO recommended that ASPR take action to fully and consistently demonstrate leading collaboration practices. 

In its conclusion, GAO observed that “Until HHS implements our prior recommendations related to improving cybersecurity, the department risks not being able to effectively carry out its lead agency responsibilities, resulting in potential adverse impact on healthcare providers and patient care.”

In May, the GAO added a ‘priority recommendation’ for the Environmental Protection Agency (EPA), taking the total number to 12. The recommendations involve five areas, including improving the nation’s water quality; addressing data and risk communication issues related to drinking water and wastewater infrastructure; managing climate risks, protecting the nation’s air quality, and ensuring cybersecurity at EPA.

Before that in March, the agency conducted a review of the 13 OT (operational technology) cybersecurity products and services of the CISA. The review found that while 12 of the 13 non-federal entities reported positive experiences with CISA’s offerings, it also highlighted challenges by CISA and seven of them.

link