GAO Highlights Gaps in HHS Cybersecurity Oversight Amid Rising Threats

Despite increasing cyberattacks targeting the US health care industry, the Government Accountability Office (GAO) has reported that the US Department of Health and Human Services (HHS) lacks robust policies to mitigate cyber risks.

Concern over cybersecurity in health care systems has been on the rise, particularly since the high-profile attack on Change Healthcare, a UnitedHealth-owned claims processor, which affected over 100 million people in February 2024. Since then, HHS has reported that hospitals have adopted 71% of practices under the National Institute of Standards and Technology Cybersecurity framework. However, HHS has not tracked standards specific to ransomware, the most pertinent threat to health care organizations.

Additionally, the GAO reported that HHS has not fully assessed the implementation of the cybersecurity framework, which has limited its ability to allocate resources effectively. HHS has not evaluated its support tools, such as guidance documents, trainings, and threat briefings. Furthermore, it has not conducted a comprehensive assessment of risks related to internet of things (IoT) or operational technology (OT). These interconnected systems are increasingly utilized in health care but remain underaddressed in current security strategies.

The GAO also reported that the Centers for Medicare and Medicaid Services (CMS) have established cybersecurity requirements to protect the data shared with state government agencies. However, these standards conflict with those of other federal agencies, such as the Social Security Administration, creating an unnecessary burden on state officials and potentially detracting from other cybersecurity efforts.

Recent attacks have heightened fears among health care providers, leaders, and patients regarding security. The GAO has urged HHS to take action, warning that without appropriate measures to strengthen cybersecurity oversight, the department risks falling further behind in mitigating the rising tide of cyberattacks targeting the health care sector.

“Until the HHS implements our prior recommendations related to improving cybersecurity, the department risks not being able to effectively carry out its lead agency responsibilities, resulting in potential adverse impact on healthcare providers and patient care,” the GAO concluded.

References

Olsen E. HHS facing challenges as lead agency for healthcare cybersecurity: GAO. Healthcare Dive. November 19, 2024. Accessed November 21, 2024. https://www.healthcaredive.com/news/hhs-healthcare-cybersecurity-policy-challenges-gao/732965/

Healthcare cybersecurity: HHS continues to have challenges as lead agency. US Government Accountability Office. Published November 13, 2024. Accessed November 21, 2024. https://www.gao.gov/products/gao-25-107755