Dive Brief:
- The Department of Health and Human Services has faced challenges mitigating cybersecurity risks in the healthcare sector, according to a report published Thursday by the Government Accountability Office.
- The department hasn’t implemented policies previously recommended by the government watchdog, including tracking industry adoption of ransomware-specific cyber practices or assessing risks from IoT or operational technology devices.
- Until the HHS fills those gaps, the department could be unable to effectively lead the industry in cybersecurity — a potential risk for providers and patient care, according to the GAO.
Dive Insight:
Despite the HHS’ stated efforts to limit the sector’s cyber risks, the department hasn’t put in place policies that could help the industry improve its security, according to the watchdog.
The report comes as the healthcare sector is facing a growing scourge of cyberattacks and data breaches, including the high-profile cyberattack on UnitedHealth-owned technology firm and claims processor Change Healthcare earlier this year.
Regulators found several examples where they say the HHS faced challenges mitigating risks.
In one, the HHS said hospitals reported adopting nearly 71% of practices under the National Institute of Standards and Technology Cybersecurity Framework to detect, respond to and recover from cyberattacks.
But the GAO noted the department wasn’t tracking the framework’s specific standards for ransomware, a type of malware that denies users access to their data that has become an increased threat to healthcare organizations.
“Although HHS officials told us that they would be able to assess implementation of key concepts in the framework, the department did not provide evidence of its efforts to do so,” the GAO wrote. “Without full awareness of the sector’s adoption of cybersecurity practices, HHS risks not directing resources where needed.”
The agency added that the HHS hasn’t evaluated the effectiveness of its support tools, like guidance documents, training and threat briefings.
It also hasn’t conducted an industrywide assessment of risks from IoT or operational technology devices.
Without an assessment, the HHS won’t know what new security measures are necessary to address evolving threats, the GAO said.
Meanwhile, the Centers for Medicare and Medicaid Services established cyber requirements to protect data it shares with state agencies, but those standards conflicted with other federal agencies that work closely with states, such as the Social Security Administration.
“The conflicting parameters can place an unnecessary burden on state officials’ time and resources,” the watchdog wrote in the report. “This in turn could lead to reduced attention on other important cybersecurity efforts.”
The HHS didn’t respond to a request for comment by press time.