The U.S. General Accounting Office (GAO) has identified challenges facing the Department of Health and Human Services (HHS) in meeting its cybersecurity responsibilities. Strengthening HHS leadership could be accomplished by implementing previous recommendations. Cyberattacks against the medical and public health sector have increased rapidly in recent years.
As the lead federal agency in the critical infrastructure sector, HHS is struggling with its cybersecurity responsibilities and has not yet implemented all recommendations to address these issues. These responsibilities include coordinating with the Cybersecurity and Infrastructure Security Agency (CISA), the national coordinator for critical infrastructure security and resiliency.
In February of this year, healthcare payment processing company Change Healthcare suffered a ransomware attack that resulted in data theft, losses of US$874 million, and significant disruption to healthcare providers and patient care. I did. The incident highlights the difficulty HHS has in managing the department's cybersecurity. The Department has not yet implemented all recommended measures to address these issues.
HHS has launched an initiative to reduce the risk of ransomware in healthcare and public health. However, GAO's previous findings indicate that the GAO division does not effectively monitor the implementation of these practices. In January of this year, GAO reported that HHS released an analysis of U.S. hospital cybersecurity. The analysis revealed that participating hospitals self-reported adopting 70.7 percent of the key areas of the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond, and Recover.
“However, at the time of our report, HHS had not yet tracked the adoption of the ransomware-specific practices outlined in the framework,” GAO said. “Although HHS officials told us they would be able to assess implementation of key concepts within the framework, the department provided no evidence of efforts to do so. Adoption of Cybersecurity Practices in the Department Without sufficient awareness, HHS risks not putting resources where they need to be.”
GAO recommended that HHS work with CISA and departmental bodies to determine whether the department will adopt advanced cybersecurity practices to help reduce the risk of ransomware.
The watchdog also found that HHS did not assess the effectiveness of the assistance it provided to this area. Specifically, GAO reported that HHS provided various types of support to assist ransomware risk management departments, including guidance documents, training, job assistance, and threat briefings. However, the Department has not demonstrated that it has evaluated which types of support are most effective. As a result, the department was unable to fully address concerns regarding communication, coordination, and timely sharing of threat and incident information.
GAO proposed that HHS work with CISA and sectoral bodies to develop evaluation procedures to measure the effectiveness of support in mitigating ransomware risk.
Regarding assessing the sector's cybersecurity risks, GAO's report notes that apart from IT, the healthcare sector also uses Internet of Things (IoT) and operational technology (OT) devices to provide essential healthcare and public health services. He pointed out that it depends on the system. In December 2022, we reported that HHS continues to conduct risk activities against a specific type of IoT device: medical devices. “It did not conduct a full cybersecurity risk assessment. As a result, the Department did not know what additional security protections were needed to address growing and evolving threats,” GAO said. I pointed it out.
GAO suggested that HHS include IoT and OT devices as part of the department's cyber environment risk assessment.
Regarding departmental cybersecurity coordination and collaboration, GAO assessed that within HHS, the Office of Strategic Preparedness and Response (ASPR) is responsible for leading collaborative efforts to strengthen departmental security and resiliency. “In June 2021, we reported that ASPR is leading or co-leading several working groups focused on supporting this sector. We determined that it demonstrated collaborative practices.”
However, they did not fully or consistently monitor the work group's progress toward achieving defined goals. Regularly update a charter that clarifies responsibilities for carrying out the group's role or describes how the work group will work together. As a result, ASPR could not ensure that we were working together effectively to improve cybersecurity. GAO recommended that ASPR take steps to fully and consistently demonstrate key collaboration practices.
“Until HHS implements its previous recommendations to improve cybersecurity, the Department will not be able to effectively carry out its lead agency responsibilities, resulting in negative health care provider and patient care,” GAO said in its conclusion. There is a possibility.”
In May, GAO added “priority recommendations” to the Environmental Protection Agency (EPA), bringing the total to 12. The recommendations include five areas. Address data and risk communication issues related to drinking water and wastewater infrastructure. EPA works to manage climate risks, protect the nation's air quality, and ensure cybersecurity.
Prior to that, in March, the agency conducted a review of CISA's 13 OT (operational technology) cybersecurity products and services. The review found that while 12 of the 13 non-federal agencies reported positive experiences with CISA's services, it also highlighted challenges with CISA and seven of the agencies.
