The Department of Health and Human Services (HHS) still needs to address a pair of open cybersecurity priority recommendations related to cybersecurity coordination and implementation of a cybersecurity framework, according to a new report by the Government Accountability Organization (GAO).
GAO reported those open recommendations as part of a larger set of 56 open priority recommendations. Of those, 51 remain open from a May 2021 GAO report, plus five new priority recommendations that GAO added in its latest report.
In the new report, GAO said HHS did complete action on a pair of recommendations that address and improve the agency’s cyber risk management.
“The Federal government exchanges a large variety of sensitive information with states to implement key federal and state programs,” GAO said. “Recent high profile cyberattacks targeting the public and private sectors highlight the urgent need to address cybersecurity weaknesses.”
“We have identified two priority recommendations in this area that call for working with sector partners to determine cybersecurity framework adoption and revising assessment policies to maximize coordination,” the report continues. “If implemented, these recommendations would improve HHS’s ability to address cyber-related risks.”
The first still-open cybersecurity recommendation calls on the Centers for Medicaid and Medicare Services (CMS) administrator to revise assessment policies to ensure that CMS can maximize Federal agency coordination. HHS agreed with the recommendation, but GAO said CMS has not provided a time frame in which the agency component will act on the recommendation.
“Maximizing coordination with other Federal agencies would help provide reasonable assurance that CMS is leveraging compatible assessments with other agencies and may help to reduce Federal resources associated with their implementation,” GAO said.
The other open recommendation calls for the HHS Secretary to work with the Secretary of Agriculture, and other partners like the sector coordinating council, the Department of Homeland Security, and the National Institute of Standards and Technology to “develop methods for determining the level and type of [cybersecurity] framework adoption by entities across their respective sector.”
The agency also concurred with this recommendation and said it plans to form a task force to discuss and understand how frameworks are used across the sector.
“We maintain that implementing this recommendation to gain a more comprehensive understanding of the framework’s use by critical infrastructure sectors is essential to the success of protection efforts,” GAO said. “Until sector risk management agencies have a more comprehensive understanding of the use of the cyber framework by the critical sectors, they will be limited in their ability to evaluate the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation.”