GAO says HHS needs to improve cybersecurity info sharing

The Department of Health and Human Services must improve collaboration among several of its key internal entities according to Government watchdog report.

A new Government Accountability Office (GAO) report has found that while the Department of Health and Human Services (HHS) has made substantial efforts to share cyber security threat intel with the wider health care sector, it could do more to develop its collaboration and coordination within the department and the sector.

GAO says it conducted its study because HHS and the healthcare and public health sector "rely heavily on information systems to fulfil their missions," including delivering healthcare-related services and responding to national health emergencies, such as COVID-19.

"Any disruption in the systems used by HHS and healthcare sector organisations could be catastrophic for the many Americans who rely on their services," the GAO notes.

"For example, a cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities," the GAO writes.

"Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain sensitive information, commit fraud and identity theft, disrupt operations, or launch attacks against other computer systems and networks, GAO concludes.

The report said HHS had clearly described roles and responsibilities for implementing its cyber security programme, including the FISMA-required eight elements of the programme. The department had also developed or contributed to developing policies, procedures, and plans that described the department’s roles and responsibilities for providing cyber security support to the healthcare and public health care (HPH) sector.

However, the report said that procedures and plans did not describe co-ordination among two entities critical to the department’s cyber security information sharing with the HPH sector - the Health Sector Cybersecurity Coordination Centre (HC3) and the Healthcare Threat Operations Centre (HTOC).

“Without coordinating the responsibilities for sharing cyber security information to the HPH sector, HHS is missing an opportunity to strengthen those efforts for their intended audience,” the report warned.

The GAO said there were areas where HHS could improve, such as actionable threat sharing and better support for industry partnerships.

The GAO said that the secretary of HHS should direct its chief information officer to coordinate cyber security information sharing between the Health Sector Cybersecurity Coordination Centre and Healthcare Threat Operations Centre. It should also direct its CIO to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group. 

The report said the HHS stated it is currently addressing the six recommendations it agreed with, but it did not agree with the GAO findings on cyber security coordination. 


Featured Articles

ICYMI: New Age of the CISO and cybersecurity trends for 2023

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Kingfisher chooses Google Cloud as catalyst for growth

Google Cloud will support Kingfisher's digital ambitions with a range of solutions, from infrastructure to data analytics.

ICYMI: Cyber predictions for 2023 and trouble in paradise

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Osirium shares its cyber predictions for 2023

Cyber Security

ICYMI: Unloved emails and cybersecurity worth $500bn by 2030

Cyber Security

Cyber security market anticipated to reach $500bn by 2030

Cyber Security