- HHS has failed to remedy cybersecurity vulnerabilities in its systems that could put PHI at risk, warned the GAO in a report released July 25.
The GAO cited problems at CMS that threaten to compromise Medicare beneficiary data and the privacy of users’ data on state-based marketplaces.
In addition, HHS had not fully addressed key security elements in its guidance for protecting the security and privacy of electronic health information, GAO noted.
These failures to act are not just an issue with HHS. Across federal agencies, GAO has since 2010 made more than 3,000 recommendations to agencies to address cybersecurity shortcomings. As of July 2018, about 1,000 still needed to be implemented.
“Until these shortcomings are addressed, federal agencies' information and systems will be increasingly susceptible to the multitude of cyber-related threats that exist,” warned the GAO report, Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation.
In the report, GAO identified four major cybersecurity challenges and ten critical actions that the federal government and other entities need to take to address these challenges.
The four major challenges are:
- Establishing a comprehensive cybersecurity strategy and performing effective oversight
- Securing federal systems and information
- Protecting cyber critical infrastructure
- Protecting privacy and sensitive data
To address the first challenge, GAO recommended that federal agencies and other entities develop and execute a more comprehensive strategy for national cybersecurity and global cyberspace, mitigate global supply chain risks, address cybersecurity workforce management challenges, and ensure the security of emerging technologies.
For the second challenge, the government watchdog said that federal agencies should improve implementation of government-wide cybersecurity initiatives, address weaknesses in federal agency information security programs, and enhance federal response to cyber incidents.
To tackle the third challenge, the agency supported strengthening the federal role in protecting the cybersecurity of critical infrastructure.
For the fourth challenge, GAO backed improving federal efforts to protect privacy and sensitive data and limit the collection and use of personal information and ensure that it is obtained with appropriate knowledge or consent.
The government watchdog admitted that the federal government has been “challenged” in protecting privacy and sensitive data.
“Given that access to data is so pervasive, personal privacy hinges on ensuring that databases of PII maintained by government agencies or on their behalf are protected both from inappropriate access (i.e., data breaches) as well as inappropriate use (i.e., for purposes not originally specified when the information was collected),” the report observed.
“The vast number of individuals potentially affected by data breaches at federal agencies and private sector entities in recent years increases concerns that PII is not being properly protected,” it related.
GAO recommended that Congress consider amending the Privacy Act of 1974 and the E-Government Act of 2002 to better protect PII. It also supported strengthening the consumer privacy framework, which includes a consumer privacy bill of rights, describes a stakeholder process to specify how the bill of rights would apply, and encourages Congress to provide the FTC with enforcement authorities for the bill of rights.
In addition, Congress should review the adequacy of consumers’ ability to access, correct, and control their personal information and of privacy controls for new technologies such as web tracking and mobile devices, the report stressed.
“The federal government and the nation’s critical infrastructure are dependent on IT systems and electronic data, which make them highly vulnerable to a wide and evolving array of cyber-based threats. Securing these systems and data is vital to the nation’s security, prosperity, and well-being. Nevertheless, the security over these systems and data is inconsistent and urgent actions are needed to address ongoing cybersecurity and privacy challenges,” the report warned.
“Until our recommendations are addressed and actions are taken to address the four challenges we identified, the federal government, the national critical infrastructure, and the personal information of U.S. citizens will be increasingly susceptible to the multitude of cyber-related threats that exist,” GAO concluded.