OIG: Inadequate Standards and Third-Party Oversight May Endanger Health Sector Agencies
In a recent report, auditors from the U.S. Department of Health and Human Services (HHS) emphasized the urgent need for standardized governance and controls across its divisions to enhance its response capabilities against cyber threats. They highlighted that the current fragmented cybersecurity approach complicates HHS’s preparedness to tackle potential cyber risks effectively.
According to the HHS Office of Inspector General, disparities in control measures across various divisions hinder coordinated cybersecurity efforts. Although improvements have been noted, the integration of cybersecurity functions remains burdensome, often reliant on individual divisions and programs.
The auditors also raised significant concerns regarding third-party risks associated with numerous contractors and vendors, which further complicates the cybersecurity landscape. As noted in their report, “Cybersecurity measures must be extended not only to the department but to the myriad of HHS contractors and external entities.” These external partnerships significantly heighten the risk profile facing HHS.
In its semiannual report to Congress, the Office of Inspector General underscored cybersecurity risk management as a top priority. The potential fallout from a successful cyberattack could jeopardize both operational efficacy and the health of those reliant on HHS services.
The ongoing challenge of bolstering cybersecurity within HHS is compounded by the pervasive and evolving nature of threats. The auditors remarked on the department’s historical underpreparedness, exacerbated by an over-reliance on aging technology and staffing difficulties. Furthermore, outdated regulations surrounding data privacy and cybersecurity exacerbate these issues.
Specifically, auditors pointed to the limitations of the decades-old HIPAA Privacy Rule and Security Rule, indicating these frameworks may not adequately address modern privacy needs or the enhanced risks associated with electronic protected health information. “Adapting to evolved privacy and security requirements within the rigid statutory framework of HIPAA is crucial,” they stated.
Proposed revisions to the HIPAA security rule emerged from the Biden administration, and similar modifications were suggested during the Trump administration regarding the HIPAA Privacy Rule. These pending adjustments are part of HHS’s ongoing regulatory agenda, though concrete timelines for their finalization remain unclear.
In response to the OIG reports, HHS has acknowledged its commitment to addressing these concerns. Representatives stated that efforts are underway to optimize IT and cybersecurity frameworks, aiming to modernize outdated systems to enhance overall security, efficiency, and accountability.
