GAO says HHS needs to improve cybersecurity info sharing
A new Government Accountability Office (GAO) report has found that while the Department of Health and Human Services (HHS) has made substantial efforts to share cyber security threat intel with the wider health care sector, it could do more to develop its collaboration and coordination within the department and the sector.
GAO says it conducted its study because HHS and the healthcare and public health sector "rely heavily on information systems to fulfil their missions," including delivering healthcare-related services and responding to national health emergencies, such as COVID-19.
"Any disruption in the systems used by HHS and healthcare sector organisations could be catastrophic for the many Americans who rely on their services," the GAO notes.
"For example, a cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities," the GAO writes.
"Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain sensitive information, commit fraud and identity theft, disrupt operations, or launch attacks against other computer systems and networks, GAO concludes.
The report said HHS had clearly described roles and responsibilities for implementing its cyber security programme, including the FISMA-required eight elements of the programme. The department had also developed or contributed to developing policies, procedures, and plans that described the department’s roles and responsibilities for providing cyber security support to the healthcare and public health care (HPH) sector.
However, the report said that procedures and plans did not describe co-ordination among two entities critical to the department’s cyber security information sharing with the HPH sector - the Health Sector Cybersecurity Coordination Centre (HC3) and the Healthcare Threat Operations Centre (HTOC).
“Without coordinating the responsibilities for sharing cyber security information to the HPH sector, HHS is missing an opportunity to strengthen those efforts for their intended audience,” the report warned.
The GAO said there were areas where HHS could improve, such as actionable threat sharing and better support for industry partnerships.
The GAO said that the secretary of HHS should direct its chief information officer to coordinate cyber security information sharing between the Health Sector Cybersecurity Coordination Centre and Healthcare Threat Operations Centre. It should also direct its CIO to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
The report said the HHS stated it is currently addressing the six recommendations it agreed with, but it did not agree with the GAO findings on cyber security coordination.