HHS has still not addressed key cyber recommendations, GAO says

J. David Ake/Getty Images

The Government Accountability Office said its unaddressed cyber guidance can result “in potential adverse impact on healthcare providers and patient care.”

The Department of Health and Human Services “continues to have challenges” when it comes to mitigating cybersecurity risks to the healthcare and public health sector, according to a snapshot report released on Wednesday by the Government Accountability Office.

GAO’s assessment warned that previously identified gaps in HHS cybersecurity responsibilities remain unaddressed, even as threats to critical healthcare infrastructure have increased in recent years. 

The watchdog said that major cyberattacks — such as the February 2024 Change Healthcare ransomware attack that disrupted prescription services and provider payments at medical facilities across the U.S. — have underscored the need for HHS to take action on GAO’s outstanding cyber recommendations. 

The report noted that HHS already “has several initiatives intended to mitigate ransomware risks for healthcare and public health,” but that GAO previously found that the department “had not adequately monitored the sector’s implementation of ransomware mitigation practices.”

A January 2024 report from the watchdog said that an HHS analysis of U.S. hospitals’ cybersecurity efforts found that the majority of participating facilities had adopted the National Institute of Standards and Technology’s Cybersecurity Framework, but that HHS was not tracking hospitals’ adoption of the guide’s ransomware-specific practices.

“Although HHS officials told us that they would be able to assess implementation of key concepts in the framework, the department did not provide evidence of its efforts to do so,” Wednesday’s assessment said. “Without full awareness of the sector’s adoption of cybersecurity practices, HHS risks not directing resources where needed.”

GAO also warned that HHS has still not addressed its recommendation to evaluate the effectiveness of its sector-focused efforts to help manage ransomware risks or taken steps to conduct “a comprehensive sector-wide cybersecurity risk assessment” of Internet of Things and operational technology devices.

Additionally, the assessment found that “coordinating and collaborating for sector cybersecurity” remained unaddressed challenges for the department, despite GAO having flagged these concerns in previous reports. 

In one notable example, the watchdog warned in a May 2020 report that the Centers for Medicare and Medicaid Services — an HHS agency — established cybersecurity requirements that “had parameters that conflicted with those established by other federal agencies that share data with states.”

Although GAO recommended that CMS “solicit input from relevant federal agencies on revisions to its security policy” and “revise its assessment policies to maximize coordination,” the report said that these steps remain unaddressed. 

“Until HHS implements our prior recommendations related to improving cybersecurity, the department risks not being able to effectively carry out its lead agency responsibilities, resulting in potential adverse impact on healthcare providers and patient care,” GAO said.