A report by the Government Accountability Office (GAO) found that the Department of Health and Human Services (HHS) has clearly defined roles and responsibilities for coordination with healthcare organizations to support cybersecurity efforts. However, GAO found areas where HHS could improve collaboration.
HHS’ Office of Information Security handles department-wide cybersecurity and has “clearly defined responsibilities for the divisions within that office to, among other things, document and implement a cybersecurity program, as a required by the Federal Information Security Modernization Act (FISMA) of 2014.” HHS has defined responsibilities for five of its entities, including the Health Sector Cybersecurity Coordination Center and the Healthcare Threat Operations Center.
GAO stated in its report that private-sector partners receive information provided from the Health Sector Cybersecurity Coordination Center and informed GAO they could benefit from receiving more actionable threat information. This center, however, doesn’t “routinely receive such information from the Healthcare Threat Operations Center, and therefore is not positioned to provide it to sector partners.”
“This lack of information sharing is due, in part, to HHS not describing coordination between the two entities in procedures defining their responsibilities for cybersecurity information sharing,” wrote GAO. “Until HHS formalizes coordination for the two entities, they will continue to miss an opportunity to strengthen information sharing with sector partners.”
Additionally, HHS entities either led or participated in seven collaborative groups that focused on cybersecurity within HHS and healthcare and public health sector between March 2020 and December 2020. GAO identified seven leading collaboration practices, with which HHS entities “fully demonstrated consistency” with four of the seven and partially addressed the remaining three.
“Until HHS takes action to fully demonstrate the remaining three leading practices, it cannot ensure that it is improving cybersecurity within the department and the healthcare and public health sector,” wrote GAO.
GAO made seven recommendations within the report to improve collaboration and coordination within HHS and the sector. HHS has agreed with six of the recommendations and disagreed with one of them.