GAO says HHS needs to improve cybersecurity info sharing

The Department of Health and Human Services must improve collaboration among several of its key internal entities according to Government watchdog report.

A new Government Accountability Office (GAO) report has found that while the Department of Health and Human Services (HHS) has made substantial efforts to share cyber security threat intel with the wider health care sector, it could do more to develop its collaboration and coordination within the department and the sector.

GAO says it conducted its study because HHS and the healthcare and public health sector "rely heavily on information systems to fulfil their missions," including delivering healthcare-related services and responding to national health emergencies, such as COVID-19.

"Any disruption in the systems used by HHS and healthcare sector organisations could be catastrophic for the many Americans who rely on their services," the GAO notes.

"For example, a cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities," the GAO writes.

"Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain sensitive information, commit fraud and identity theft, disrupt operations, or launch attacks against other computer systems and networks, GAO concludes.

The report said HHS had clearly described roles and responsibilities for implementing its cyber security programme, including the FISMA-required eight elements of the programme. The department had also developed or contributed to developing policies, procedures, and plans that described the department’s roles and responsibilities for providing cyber security support to the healthcare and public health care (HPH) sector.

However, the report said that procedures and plans did not describe co-ordination among two entities critical to the department’s cyber security information sharing with the HPH sector - the Health Sector Cybersecurity Coordination Centre (HC3) and the Healthcare Threat Operations Centre (HTOC).

“Without coordinating the responsibilities for sharing cyber security information to the HPH sector, HHS is missing an opportunity to strengthen those efforts for their intended audience,” the report warned.

The GAO said there were areas where HHS could improve, such as actionable threat sharing and better support for industry partnerships.

The GAO said that the secretary of HHS should direct its chief information officer to coordinate cyber security information sharing between the Health Sector Cybersecurity Coordination Centre and Healthcare Threat Operations Centre. It should also direct its CIO to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group. 

The report said the HHS stated it is currently addressing the six recommendations it agreed with, but it did not agree with the GAO findings on cyber security coordination. 

Share

Featured Articles

Trustwave Reveals the Financial Sector's Cyber Threats

Although it's not new to think that financial services organisations are prime targets for cybercriminals, the threat landscape they find themselves in is

TCS and Google Cloud Join for Solution to Secure the Cloud

TCS partners with Google Cloud to launch a range of AI-powered cybersecurity solutions to help businesses secure their clouds against advanced threats

Cybersecurity Conglomerate Reveals Threats Facing Consumers

Cybersecurity Conglomerate Gen quarterly report reveals shocking statistics like the fact that consumers are now increasingly at risk from Ransomware

Decoding the US' Most Misunderstood Data Security Terms

Cyber Security

Orange Cyberdefense's Wicus Ross Talks Cyber Extortion Trend

Hacking & Malware

Palo Alto Networks Buy IBM's QRadar Assets in Win for SIEM

Network Security