GAO says HHS needs to improve cybersecurity info sharing

The Department of Health and Human Services must improve collaboration among several of its key internal entities according to Government watchdog report.

A new Government Accountability Office (GAO) report has found that while the Department of Health and Human Services (HHS) has made substantial efforts to share cyber security threat intel with the wider health care sector, it could do more to develop its collaboration and coordination within the department and the sector.

GAO says it conducted its study because HHS and the healthcare and public health sector "rely heavily on information systems to fulfil their missions," including delivering healthcare-related services and responding to national health emergencies, such as COVID-19.

"Any disruption in the systems used by HHS and healthcare sector organisations could be catastrophic for the many Americans who rely on their services," the GAO notes.

"For example, a cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities," the GAO writes.

"Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain sensitive information, commit fraud and identity theft, disrupt operations, or launch attacks against other computer systems and networks, GAO concludes.

The report said HHS had clearly described roles and responsibilities for implementing its cyber security programme, including the FISMA-required eight elements of the programme. The department had also developed or contributed to developing policies, procedures, and plans that described the department’s roles and responsibilities for providing cyber security support to the healthcare and public health care (HPH) sector.

However, the report said that procedures and plans did not describe co-ordination among two entities critical to the department’s cyber security information sharing with the HPH sector - the Health Sector Cybersecurity Coordination Centre (HC3) and the Healthcare Threat Operations Centre (HTOC).

“Without coordinating the responsibilities for sharing cyber security information to the HPH sector, HHS is missing an opportunity to strengthen those efforts for their intended audience,” the report warned.

The GAO said there were areas where HHS could improve, such as actionable threat sharing and better support for industry partnerships.

The GAO said that the secretary of HHS should direct its chief information officer to coordinate cyber security information sharing between the Health Sector Cybersecurity Coordination Centre and Healthcare Threat Operations Centre. It should also direct its CIO to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group. 

The report said the HHS stated it is currently addressing the six recommendations it agreed with, but it did not agree with the GAO findings on cyber security coordination. 

Share

Featured Articles

BlueVoyant's Tom Moore Talks Legal Procedure Following Hack

BlueVoyant's Tom Moore explains how companies should act with legal council following a cyber attack

GDPR: Studying the World's Strictest Security Law 6 Years On

We take a look at the history, impact, and future of GDPR to see how it has effected the cyber sphere six years after its enactment

Banking Titan Baird Gives 9 Pointers for Cyber Investors

Investment bank Baird have made nine observations from RSA Conference that investors should consider when investing in today’s cyber market

OpenText's Pillr Buy Show Acquisitions Still in its Strategy

Cyber Security

Zoom Prepares for Quantum World with Post-Quantum Encryption

Cyber Security

Tenable: Security Expertise Gap Threatening Cloud Expansion

Operational Security