The U.S. Government Accountability Office has made seven recommendations to the Department of Health and Human Services to improve its collaboration and coordination on cybersecurity within the department and with the healthcare sector.
In explaining why it conducted the study, the GAO said that HHS and the healthcare and public health sector rely heavily on information systems to fulfill their missions, including delivering healthcare-related services and responding to national health emergencies, such as COVID-19. Federal laws and guidance have set requirements for HHS to address cybersecurity within the department and the sector. Federal guidance also requires collaboration and coordination to strengthen cybersecurity at HHS and in the sector.
GAO was asked to review HHS's organizational approach to address cybersecurity. The HHS Office of Information Security is responsible for managing department-wide cybersecurity. This report discusses HHS's roles and responsibilities for departmental cybersecurity; HHS's roles and responsibilities for healthcare and public health sector cybersecurity; and HHS's efforts to collaborate to manage its cybersecurity responsibilities.
The seven recommendations for improvement in the June 2021 report largely focus on improved collaboration and communication:
1. The Secretary of HHS should direct the Chief Information Officer to coordinate cybersecurity information sharing between the Health Sector Cybersecurity Coordination Center and Healthcare Threat Operations Center.
2. The Secretary of HHS should direct the Chief Information Officer to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
3. The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to monitor, evaluate, and report on the progress and performance of the Government Coordinating Council's Cybersecurity Working Group and HHS Cybersecurity Working Group.
4. The Secretary of HHS should direct the Chief Information Officer to regularly monitor and update written agreements describing how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will facilitate collaboration, and ensure that authorizing officials review and approve the updated agreements.
5. The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to ensure that authorizing officials review and approve the charter describing how the HHS Cybersecurity Working Group will facilitate collaboration
6. The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to (1) finalize written agreements that include a description of how the Government Coordinating Council's Cybersecurity Working Group will collaborate, (2) identify the roles and responsibilities of the working group, (3) monitor and update the written agreements on a regular basis, and (4) ensure that authorizing officials leading the working group approve the finalized agreements.
7. The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to update the charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year and ensure that authorizing officials leading the working group review and approve the updated charter.
As an example of improved communication, the GAO described the relationship between the Health Sector Cybersecurity Coordination Center, which was established to improve cybersecurity information sharing in the sector, and the Healthcare Threat Operations Center, a federal interagency program co-led by HHS and focused on, among other things, providing descriptive and actionable cyber data.
“Private-sector partners that receive information provided by the Health Sector Cybersecurity Coordination Center informed GAO that they could benefit from receiving more actionable threat information,” the report said. “However, this center does not routinely receive such information from the Healthcare Threat Operations Center, and therefore is not positioned to provide it to sector partners. This lack of sharing is due, in part, to HHS not describing coordination between the two entities in procedures defining their responsibilities for cybersecurity information sharing. Until HHS formalizes coordination for the two entities, they will continue to miss an opportunity to strengthen information sharing with sector partners.”
HHS entities led, or participated in, seven collaborative groups that focused on cybersecurity in the department and healthcare and public health sector. These entities regularly collaborated on cyber response efforts and provided cybersecurity information, guidance, and resources through these groups and other means during COVID-19 between March 2020 and December 2020. In addition, the HHS entities coordinated with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency(CISA)to address cyber threats associated with COVID-19.
The GAO report noted that HHS entities fully demonstrated consistency with four of the seven leading collaboration practices that GAO identified, and partially addressed the other three. “Until HHS takes action to fully demonstrate the remaining three leading practices, it cannot ensure that it is improving cybersecurity within the department and the healthcare and public health sector,” the report found.
