Cybersecurity in the healthcare sector continues to be a pressing issue, with the Department of Health and Human Services (HHS) facing challenges in mitigating risks, as highlighted in a recent report by the Government Accountability Office (GAO).
The GAO report pointed out that the HHS has not implemented certain policies recommended by the watchdog, such as tracking the adoption of ransomware-specific cyber practices by the industry and assessing risks associated with internet of things (IoT) and operational technology devices. These gaps in policy implementation could potentially hinder the department’s ability to lead the industry effectively in cybersecurity, posing risks to providers and patient care.
Despite the HHS’ efforts to address cybersecurity risks in the healthcare sector, the GAO found that there are shortcomings in the department’s approach. This is particularly concerning given the increasing number of cyberattacks and data breaches affecting healthcare organizations, including the recent cyberattack on Change Healthcare, a technology firm owned by UnitedHealth.
One of the key issues highlighted in the report was the HHS’ lack of tracking of industry adoption of cybersecurity practices, specifically those related to ransomware. The GAO emphasized the importance of having a comprehensive understanding of the sector’s cybersecurity practices to ensure that resources are directed where they are most needed.
Furthermore, the HHS has not evaluated the effectiveness of its support tools, such as guidance documents and training materials, nor has it conducted a thorough assessment of risks associated with IoT and operational technology devices. Without these assessments, the department may not be equipped to address evolving cybersecurity threats effectively.
The report also highlighted conflicting cybersecurity requirements established by the Centers for Medicare and Medicaid Services (CMS) and other federal agencies working closely with state agencies, such as the Social Security Administration. These conflicting parameters could place an unnecessary burden on state officials and divert attention from other important cybersecurity efforts.
In conclusion, the GAO report underscores the need for the HHS to address the gaps in its cybersecurity policies and implementation to better protect the healthcare sector from cyber threats. By prioritizing cybersecurity measures, the department can enhance the resilience of healthcare providers and safeguard patient care in an increasingly digital healthcare landscape.
