With cyberattacks on healthcare organizations rising sharply, the U.S. Department of Health and Human Services (HHS) faces mounting criticism over its ability to protect this essential sector.
A new report from the Government Accountability Office (GAO) found that HHS has yet to meet critical cybersecurity goals, leaving healthcare organizations vulnerable to increasingly complex cyberthreats.
Despite HHS’s position as the lead federal agency for healthcare cybersecurity, it has made limited progress in establishing necessary defenses, particularly as ransomware, Internet of Things (IoT) threats, and operational technology (OT) risks continue to evolve, the GAO report concluded.
HHS Role and Unmet Expectations
As the primary federal agency charged with securing healthcare infrastructure, HHS works with the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate protections for the sector. Yet the GAO report states there is a lack of consistent oversight and planning.
HHS’s oversight shortcomings, coupled with a failure to implement previously recommended security measures, limit its ability to secure healthcare data effectively, creating persistent vulnerabilities.
One example of these vulnerabilities, GAO said, is the Change Healthcare ransomware attack in early 2024 that exposed sensitive data, disrupted services, and led to an estimated $874 million in damages. Such incidents showcase the urgent need for stronger leadership and more effective oversight within HHS, especially as the healthcare sector continues to be a prime target for cybercriminals.
The HHS’ shortcomings exposed during the Change Healthcare incident also drew criticism from House members like Sen. Ron Wyden, who urged HHS to raise cybersecurity standards to avert such future incidents.
Also read: Threat Landscape Report: U.S. Healthcare 2024
Lack of Effective Ransomware Oversight
Ransomware has become a persistent threat to healthcare, with attacks leading to severe disruptions in patient care and financial losses.
The GAO report reveals that HHS has not consistently monitored the healthcare sector’s adoption of ransomware mitigation practices, which are essential to securing critical systems. Without tracking adoption or implementation, HHS cannot accurately identify which organizations remain most at risk or direct resources where they are most needed, the GAO said.
“HHS was not yet tracking adoption of the ransomware-specific practices outlined in the framework. Although HHS officials told us that they would be able to assess implementation of key concepts in the framework, the department did not provide evidence of its efforts to do so.” – GAO
HHS has taken steps to provide resources like guidance, training, and threat briefings to healthcare entities. However, without concrete tracking, these resources lack measurable effectiveness.
To address this, the GAO recommends that HHS coordinate with CISA to evaluate the sector’s adoption of essential cybersecurity practices to reduce ransomware risks. This assessment would provide HHS with critical insights into areas that need improvement, allowing it to allocate resources more effectively and protect vulnerable organizations from ransomware attacks.
Ineffective Support for Sector-Wide Cybersecurity
In its role, HHS offers a variety of resources, including documents, training sessions, and briefings, to assist healthcare organizations in bolstering cybersecurity. Yet, the GAO report finds that HHS has not evaluated which forms of support are most useful for healthcare entities.
As a result, HHS lacks a clear understanding of whether its resources effectively meet the sector’s needs, leading to communication gaps and delayed threat response times. The GAO urges HHS to implement assessment procedures to measure the impact of its support efforts, which would enable it to make informed adjustments to its cybersecurity approach.
Gaps in Risk Assessments for IoT and OT Devices
The healthcare sector increasingly relies on IoT and OT devices—such as patient monitoring systems and hospital infrastructure—that create new cybersecurity risks. However, the GAO said HHS has yet to complete a comprehensive risk assessment covering these devices.
Although HHS has assessed certain risks associated with IoT in medical devices, a broader evaluation of sector-wide IoT and OT threats remains missing. This gap leaves many healthcare organizations without adequate protections against the vulnerabilities these connected devices introduce.
“HHS had ongoing risk activities for medical devices, a specific type of IoT device. However, HHS had not conducted a comprehensive sector-wide cybersecurity risk assessment addressing IoT and OT devices. As a result, the department did not know what additional security protections were needed to address growing and evolving threats.” – GAO
Also read: Vulnerability Management in Healthcare IoT Devices: Best Practices for Securing Medical Equipment
The GAO recommends that HHS expand its risk assessments to include IoT and OT devices comprehensively. Doing so would provide healthcare organizations with a clearer understanding of where additional security protections are needed, allowing for better-targeted defenses against emerging threats.
Collaboration and Coordination Challenges
HHS’s Administration for Strategic Preparedness and Response (ASPR) plays a crucial role in fostering collaboration among healthcare organizations to strengthen cybersecurity. However, the GAO points to weaknesses in ASPR’s efforts to lead effective collaboration, citing unclear goals, undefined responsibilities, and outdated collaboration charters. These issues hamper ASPR’s ability to unite healthcare entities around shared security objectives.
To improve this, the GAO suggests that ASPR should set clear goals, define responsibilities more precisely, and regularly assess collaboration efforts’ progress. This strategy would ensure that ASPR’s working groups and collaborations are both efficient and effective, directly benefiting the sector’s cybersecurity posture.
Harmonizing Conflicting Cybersecurity Requirements for State Agencies
The GAO also identified conflicting cybersecurity requirements between HHS’s Centers for Medicare and Medicaid Services (CMS) and other federal agencies, which complicates state-level cybersecurity efforts.
CMS mandates specific cybersecurity practices for state agencies handling Medicare and Medicaid data, but these standards often clash with those of other agencies, such as the Social Security Administration. This creates confusion and adds unnecessary compliance burdens for state officials, detracting from their focus on essential cybersecurity efforts.
To address this issue, the GAO recommends that CMS work with other federal agencies to harmonize cybersecurity requirements. By creating consistent standards across agencies, HHS can simplify compliance, helping state agencies allocate resources more effectively and strengthen cybersecurity at the state level.
Prioritizing Comprehensive Cybersecurity Measures
The GAO made it clear that HHS must address its ongoing cybersecurity challenges to safeguard the healthcare sector effectively. Implementing the GAO’s recommendations will be critical to enhancing HHS’s leadership role, reducing ransomware and IoT-related vulnerabilities, and fostering improved coordination among healthcare organizations.
Proactively addressing these issues will require HHS to monitor the adoption of cybersecurity practices, evaluate the impact of its support resources, and undertake comprehensive risk assessments, particularly for IoT and OT devices. Through a more strategic approach, HHS can help healthcare providers better prepare for the evolving cyber threat landscape, ensuring they have the necessary protections to continue delivering safe and secure patient care.
Related