GAO: HHS Must Collaborate to Ensure Healthcare Cybersecurity

June 30, 2021 - HHS clearly defined roles and responsibilities within its security departments, but a lack of collaboration between these entities is preventing adequate healthcare cybersecurity, according to a study conducted by the US Government Accountability Office (GAO).

GAO was tasked with reviewing HHS’s organizational approach and reflecting on its roles, responsibilities, and collaboration efforts. Researchers evaluated roles and responsibilities and scanned for any overlap, duplication, or fragmentation that went against GAO’s leading collaboration practices.

Under the Federal Information Security Modernization Act of 2014, HHS implemented a cybersecurity program and identified roles and responsibilities within the Office of Information Security, which is responsible for overseeing cybersecurity across HHS.

HHS also defined roles and responsibilities for the Health Sector Cybersecurity Coordination Center (HC3) and the Healthcare Threat Operations Center (HTOC). But GAO was informed by private-sector partners that HC3 would benefit from receiving threat information more frequently. Since HC3 does not regularly receive information from HTOC, the potential for collaboration is often lost.

“This lack of sharing is due, in part, to HHS not describing coordination between the two entities in procedures defining their responsibilities for cybersecurity information sharing. Until HHS formalizes coordination for the two entities, they will continue to miss an opportunity to strengthen information sharing with sector partners,” the study stated.

GAO analyzed the extent to which the HHS entities demonstrated consistency with leading collaboration practices. Results revealed that all seven entities were consistent in identifying resources, bridging organizational cultures, identifying leadership, and including relevant participants in the group.

HHS fell short in some leading practices, with only six of seven groups consistently documenting and updating written guidance and clarifying roles and responsibilities. Five of the seven groups successfully and regularly define and track outcomes and accountability for their organizations.

“Until HHS takes action to fully demonstrate the remaining three leading practices, it cannot ensure that it is improving cybersecurity within the department and the healthcare and public health sector,” the study warned.

As a result of this research, GAO came up with seven recommendations for HHS to improve collaboration within the department and the healthcare cybersecurity sector as a whole. HHS agreed with six of seven of GAO’s recommendations.

It disagreed with the first recommendation, which stated that “The Secretary of HHS should direct the Chief Information Officer to coordinate cybersecurity information sharing between the Health Sector Cybersecurity Coordination Center and Healthcare Threat Operations Center.”

Due to the sensitive and highly confidential information that HTOC possesses, HHS opposed sharing information across entities without explicit permission and supervision. In addition, the study stated that HHS does not believe any duplication exists between the information shared between the two entities, therefore no changes need to be made. GAO still advises that HHS reconsider the recommendation.

The remaining recommendations all suggest operational changes to encourage collaboration. GAO recommends that the HHS secretary should “Direct the Chief Information Officer to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.”

In addition, GAO suggests that the HHS secretary regularly monitor how these entities facilitate collaboration, and consistently update written agreements. HHS should also appoint the assistant secretary for preparedness and response to review and update the Joint Healthcare and Public Health Cybersecurity Working Group charter. HHS plans on implementing elements of six GAO recommendations.

President Biden’s executive order on improving the nation’s cybersecurity sparked an influx of new guidelines, policy changes, and investigations into how the government manages cybersecurity as ransomware attacks become an almost daily occurrence across all sectors, especially healthcare.

HHS’s Office of the Inspector General (OIG) recently released a study that evaluated how Medicare accreditation organizations (AOs) use their discretion to assess the cybersecurity of networked medical devices. OIG discovered that AOs rarely use their discretion in these cases. Without adequate cybersecurity measures, networked medical devices could serve as an open invitation to hackers.

Another effort to improve cybersecurity came from the National Institute of Standards and Technology (NIST), which released a ransomware risk management framework to help organizations mitigate cybersecurity risks.