HHS has not adopted all GAO cybersecurity recommendations

HHS has not yet fully implemented several of the Government Accountability Office's cybersecurity recommendations, putting its ability to carry out its leadership duties at risk, GAO stated in a report. The report explored GAO's past recommendations as well as the challenges that HHS and the healthcare sector face when it comes to cybersecurity.

GAO acknowledged that the healthcare sector is facing increased cyberattacks and that, as the lead federal agency for healthcare, HHS is responsible for strengthening cybersecurity across the sector.

GAO listed several of its recommended actions from previous reports that have not been fully implemented. For example, GAO recalled a May 2020 report that discovered conflicting cybersecurity requirements between CMS and other federal agencies that share data with states.

The report found that while CMS had coordinated with state agencies when assessing states' cybersecurity, they did not have policies in place for coordinating with other federal agencies.

"The conflicting parameters can place an unnecessary burden on state officials' time and resources. This in turn could lead to reduced attention on other important cybersecurity efforts," GAO stated.

At the time, GAO recommended that CMS revise its policies to ensure consistent cybersecurity requirements for state agencies. As of February 2024, CMS stated that it would revise its assessment policies to maximize coordination but had not provided documentation. However, several of the other recommendations from the report were successfully implemented.

In a 2021 report, GAO called on HHS to ensure that the Administration for Strategic Preparedness and Response (ASPR) could demonstrate the effectiveness of its actions to improve cybersecurity, including clarifying roles and responsibilities and monitoring ASPR's progress toward its documented goals.

As of April 2024, HHS stated that ASPR's leadership of the Healthcare and Public Health (HPH) Sector Risk Management Agency (SRMA) Cyber Working Group allows it to better oversee the working group and its projects.

"We will follow up with the department to obtain documentation demonstrating ASPR's oversight of the working groups' progress and performance," GAO stated.

GAO raised concerns about HHS' progress on several other recommendations from the past few years, including a recommendation to work with the Cybersecurity and Infrastructure Security Agency (CISA) to develop evaluation procedures to measure cross-agency efforts to reduce ransomware risk.

As of July 2024, HHS told GAO that it was continuing to work with CISA to develop these procedures and will provide a formal update to GAO soon.

While many of the goals mentioned in GAO's report are in progress, GAO further stressed the importance of prioritizing these goals to reduce risk across the sector and enhance coordination between HHS and other federal agencies.

"Until HHS implements our prior recommendations related to improving cybersecurity, the department risks not being able to effectively carry out its lead agency responsibilities, resulting in potential adverse impact on healthcare providers and patient care," GAO concluded.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.