As cyberattacks continue to target hospitals and other healthcare organizations, the Department of Health and Human Services (HHS) is failing to meet some of its bigger-picture cybersecurity goals for the sector, the Government Accountability Office (GAO) said in a Nov. 13 report.
“As the lead federal agency for the healthcare and public health critical infrastructure sector, the Department of Health and Human Services (HHS) has faced challenges in carrying out its cybersecurity responsibilities,” GAO said.
Since 2016, HHS has been the lead Federal government agency for the healthcare and public health critical infrastructure sector, with the goal of improving security and resilience of the sector’s critical infrastructure across all hazards.?
In its Nov. 13 report, GAO said those responsibilities for HHS include strengthening cybersecurity in the sector, including coordinating with the Cybersecurity and Infrastructure Security Agency (CISA), which serves as the government’s national coordinator for critical infrastructure security and resilience.
GAO said in the new report that HHS needs to do more work on a range of security issues and recommendations that the watchdog agency delivered to HHS in reports over the past four years.
Those include assessing appropriate cybersecurity practices, developing evaluation procedures for ransomware risk reduction, and performing risk evaluations of Internet of Things (IoT) and operational technology (OT) devices.
GAO said its previous recommendations to HHS in those areas were found to have been only partially or not at all implemented, and the watchdog emphasized the need for further action as cyberattacks on the health sector – such as the attack on Change Healthcare earlier this year – become more increasingly complex.
Beyond compromising healthcare sector data, cyberattacks have repercussions including the cancellation of urgent care surgeries, cancellation of radiology appointments, and the inability of medical providers to give patients emergency care, GAO said.
In January 2024, HHS said in its analysis of U.S. hospitals’ cybersecurity that roughly 71 percent of participating hospitals said they had adopted the National Institute of Standards and Technology’s (NIST) framework for cybersecurity.
GAO said in its latest report that since then, HHS has failed to track hospitals’ adoption of ransomware practices provided in the NIST framework despite claiming that it had the ability to assess implementation efforts.
“Our prior work has found that the department had not adequately monitored the sector’s implementation of ransomware mitigation practices,” said GAO. “Without full awareness of the sector’s adoption of cybersecurity practices, HHS risks not directing resources where needed.”
Other shortcomings listed in the watchdog’s report include failure of HHS to evaluate which type of support – such as guidance documents, training, and threat briefings – to support cybersecurity efforts is most effective, and a lack of a sector-wide cybersecurity risk assessment addressing Internet of Things (IoT) and operational technology (OT) devices.
“In addition to IT, the sector relies on Internet of Things (IoT) and operational technology (OT) devices and systems to provide essential healthcare and public health services,” said GAO. “However, HHS had not conducted a comprehensive sector-wide cybersecurity risk assessment addressing IoT and OT devices. As a result, the department did not know what additional security protections were needed to address growing and evolving threats.”
The HHS-led Administration for Strategic Preparedness and Response (ASPR), which is tasked with fostering health sector resilience and security, also received criticism from GAO for inconsistent monitoring, unclear responsibilities, and outdated charters across several sector-focused working groups under its leadership.
Meanwhile the Centers for Medicare and Medicaid Services (CMS) imposed cybersecurity requirements for data-sharing with state agencies that often conflict with those from other Federal agencies. CMS also lacked cybersecurity standards for coordinating Federal efforts on state cybersecurity assessments, GAO said.
“The conflicting parameters can place an unnecessary burden on state officials’ time and resources. This in turn could lead to reduced attention on other important cybersecurity efforts,” GAO said.
GAO’s latest report reiterated several recommendations for HHS including: CMS soliciting input from relevant Federal agencies on revisions for its security policy and revising its policies to improve interagency coordination; ASPR taking full and consistent action to demonstrate collaboration practices; coordinating with the Cybersecurity and Infrastructure Security Agency (CISA) to determine health sector cybersecurity practices; coordinating with CISA and sector entities to develop evaluation procedures; and including IoT and OT devices as part of risk assessments.
“Until HHS implements our prior recommendations related to improving cybersecurity, the department risks not being able to effectively carry out its lead agency responsibilities, resulting in potential adverse impact on healthcare providers and patient care,” GAO said.
