Health care organizations’ IT systems are critical to the nation’s wellbeing. Cyberattacks on them could, for example, put patient privacy at risk or disrupt essential telehealth services.
The Government Accountability Office (GAO) has reviewed the Department of Health and Human Services’ (HHS) efforts to address cybersecurity and found positives as well as a need for improved collaboration.
There are five entities under HHS, including the Health Sector Cybersecurity Coordination Center (HC3) and the Healthcare Threat Operations Center (HTOC).
Private-sector partners that receive information provided by HC3 told GAO that they could also benefit from receiving information from HTOC. GAO said that this lack of sharing is due, in part, to HHS not describing coordination between the two entities in procedures defining their responsibilities for cybersecurity information sharing.
According to the report, HHS entities led, or participated in, seven collaborative groups that focused on cybersecurity in the department, healthcare and public health sector. Through these groups, the entities collaborated on cyber response efforts during the COVID-19 pandemic, between March 2020 and December 2020. The entities also provided cybersecurity information, guidance and resources throughout the duration of their collaboration.
The HHS entities also coordinated with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to address cyber threats related to COVID-19, the report said.
GAO identified, from the seven leading collaboration practices, that all seven groups demonstrated consistency in bridging organizational cultures, identifying leadership, including relevant participants in the group and identifying sources. Six groups partially addressed documenting, regularly updating written guidance and agreements, and clarifying roles and responsibilities. Only five groups partially addressed defining and tracking outcomes, and accountability.
“Until HHS takes action to fully demonstrate the three leading practices, it cannot ensure that it is improving cybersecurity within the department and the healthcare and public health sector,” the report said.
The report explains that, “COVID-19 has highlighted the need for HHS to pay continuous attention to cyber threats, which pose a serious challenge to national security, economic well-being, and public health and safety.”
Some targets include patient information, intellectual property, public health data and intelligence. In a meeting in May 2020, the former Chief Information Officer informed GAO that HHS has been targeted daily since March 15, 2020 by sophisticated cyber attacks. In the same month, CISA and the United Kingdom’s National Cyber Security Centre released a joint alert warning that threat groups have been targeting personal information, intellectual property and intelligence that relates to national priorities. CISA and the FBI also issued a public service announcement, raising awareness of a threat that targeted COVID-19 related research in the same month. Then, in October 2020, CISA, the FBI and HHS issued a cybersecurity advisory alert over the Department of Healthcare and Public Health (HPH) being targeted by ransomware activity.
GAO made seven recommendations for HHS to, “improve its collaboration and coordination within the department and the sector”. These recommendations include asking the secretary of HHS to direct the Chief Information Officer to coordinate cybersecurity information sharing between the Health Sector Cybersecurity Coordination Center and Healthcare Threat Operations Center, and regularly monitoring and updating written agreements of how collaboration will be facilitated.
HHS stated that it is currently taking action to address six of the seven recommendations. For example, it is convening a brainstorming session to consider applicable methods to monitor, evaluate, and report on the progress and performance of the HHS CISO Council. In addition, the department stated that it is in the process of updating, finalizing, and obtaining leadership approval for the Cloud Security Working Group charter.
HHS did not agree with GAO’s recommendation to coordinate cybersecurity information sharing between HC3 and HTOC. HHS stated that there is close coordination between HC3 and HTOC that takes into consideration the stakeholders and agreements between relevant partners and stakeholders. It added that it does not believe any duplication exists in the information sharing disseminated by HC3 and HTOC. Finally, due to the high-level of fidelity and sensitivity that surrounds federal intelligence data and the HTOC federal partner cybersecurity operational data, HTOC partners do not share information outside the partnership without expressed permission and authorization of the originating agency.