Healthcare,
Industry Specific,
Standards, Regulations & Compliance
Watchdog Agency Report Highlights Inaction on Cybersecurity Recommendations
The U.S. Department of Health and Human Services (HHS) has received a formal call to action from the Government Accountability Office (GAO) regarding its responsibilities as the primary federal body tasked with enhancing cybersecurity within the healthcare and public health sectors. The recent GAO report outlines multiple recommendations that have not been adopted by HHS, raising significant concerns about the agency’s effectiveness in addressing cybersecurity vulnerabilities, particularly in mitigating ransomware threats.
The GAO underscored that HHS has failed to adequately monitor the implementation of ransomware mitigation strategies within the healthcare sector. This weakness could expose sensitive data and services to cybercriminals, with hospitals being particularly vulnerable. In a related finding, a January 2024 GAO analysis showed that U.S. hospitals reported having adopted only 70.7% of recommended cybersecurity practices derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Yet, as of the GAO’s latest report, HHS had not begun tracking the adoption of specific ransomware-related practices highlighted in this same framework.
This lack of oversight could be attributed to potential gaps in HHS’s operational practices, as described by the GAO. They noted that while HHS officials indicated they would monitor key cybersecurity implementation metrics, they failed to provide concrete evidence of any such strategies in action. Consequently, this oversight hampers HHS’s ability to allocate resources effectively, increasing the potential risk vectors within the healthcare sector.
The report articulates several recommendations that have gone unheeded, including a request for HHS to partner with the Cybersecurity and Infrastructure Security Agency (CISA) to establish assessment procedures for their ransomware risk mitigation efforts. Additionally, a broad-based cybersecurity risk assessment is warranted to address the vulnerabilities presented by Internet of Things (IoT) and operational technology (OT) devices in healthcare.
Despite these challenges, HHS has engaged in various initiatives aimed at improving cybersecurity incentives within the healthcare space. For instance, although not specifically cited in the GAO’s report, HHS has made efforts to persuade healthcare entities to voluntarily adopt cybersecurity performance goals published in a concept paper by the Biden administration in December of the prior year. However, comprehensive regulatory mandates are still pending action from the incoming administration as an impending leadership change looms.
In light of the GAO’s findings, stakeholder organizations stress the urgency for a strengthened collaborative framework between HHS and CISA. This collaboration is essential to navigate an increasingly complex cybersecurity landscape, where threats can emerge rapidly and without warning. The ability for healthcare providers to access timely resources and guidance during cyber incidents is paramount. According to survey data from the College of Healthcare Information Management Executives (CHIME), a notable 92% of organizations rely on information from CISA, further emphasizing the necessity for streamlined communication and resource sharing.
While HHS has asserted intentions to carry out a sectorwide cybersecurity risk assessment, there remains a lack of public documentation or updates on the progress made thus far. Establishing awareness of which entities pose substantial risks to the healthcare ecosystem is critical in fortifying the sector against future cyber threats, particularly in an environment where one liability could cause ripple effects throughout the entire healthcare infrastructure.
The GAO’s report reveals that without immediate and decisive actions, the healthcare sector may continue to be at risk. The combination of insufficient monitoring and lack of adherence to established guidelines showcases a precarious situation that could lead to dire consequences if not addressed effectively and swiftly. The transition to new leadership within HHS might shape the trajectory for these policies, emphasizing the need for stakeholders to advocate for meaningful reforms amidst an evolving threat landscape.
