A new Government Accountability Office (GAO) report has found that while the Department of Health and Human Services (HHS) has made substantial efforts to share cyber security threat intel with the wider health care sector, it could do more to develop its collaboration and coordination within the department and the sector.
The recently published report said the GAO was tasked to review HHS’s organizational approach to address cyber security. It looked at documentation describing HHS’s cyber security roles and responsibilities, assessed those responsibilities for fragmentation, duplication and overlap, and evaluated the department’s collaborative efforts against GAO’s leading practices for collaboration.
The report found that the recent coronavirus pandemic has “highlighted the need for HHS to pay continuous attention to cyber threats, which pose a serious challenge to national security, economic well-being, and public health and safety. “
“Since the start of the nation’s response to COVID-19 in March 2020, HHS and the HPH sector organizations have been targets for malicious cyber activity,” the report stated.
The report said HHS had clearly described roles and responsibilities for implementing its cyber security program, including the FISMA-required eight elements of the program. The department had also developed or contributed to developing policies, procedures, and plans that described the department’s roles and responsibilities for providing cyber security support to the healthcare and public health care (HPH) sector.
RELATED RESOURCE
Owning your own access security
The key to building strong cloud security and avoiding the risk of vendor lock-in
However, the report said that procedures and plans did not describe coordination among two entities critical to the department’s cyber security information sharing with the HPH sector — the Health Sector Cybersecurity Coordination Center (HC3) and the Healthcare Threat Operations Center (HTOC).
“Without coordinating the responsibilities for sharing cyber security information to the HPH sector, HHS is missing an opportunity to strengthen those efforts for their intended audience,” the report warned.
The GAO said there were areas where HHS could improve, such as actionable threat sharing and better support for industry partnerships.
“Until HC3 and HTOC formalize coordination of their cyber security information sharing responsibilities, sector partners will likely be without important threat information,” said the report’s authors.
The GAO said that the secretary of HHS should direct its chief information officer to coordinate cyber security information sharing between the Health Sector Cybersecurity Coordination Center and Healthcare Threat Operations Center.
It should also direct its CIO to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
The report said the HHS stated it is currently addressing the six recommendations it agreed with, but it did not agree with the GAO findings on cyber security coordination. HHS said there was “close coordination between HC3 and HTOC that takes into consideration the stakeholders and agreements between relevant partners and stakeholders.”
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
The UK cybersecurity sector is worth over £13 billion, but experts say there’s huge untapped potential if it can overcome these hurdlesAnalysis A new report released by the DSIT revealed the UK’s cybersecurity sector generated £13.2 billion over the last year
-
UK cyber experts on red alert after Salt Typhoon attacks on US telcosAnalysis The UK could be next in a spate of state-sponsored attacks on telecoms infrastructure
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standardsNews Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more
-
The US could be set to ban TP-Link routersNews US authorities could be lining up the largest equipment proscription since the 2019 ban on Huawei networking infrastructure
-
US government IT contractor could face death penalty over espionage chargesNews The IT pro faces two espionage charges, each of which could lead to a death sentence or life imprisonment, prosecutors said
-
Threat of cyber attacks to national security compared to that of chemical weaponsNews The UK government has raised the threat level posed by cyber attacks, deeming it greater on average than an event such as the Salisbury poisoning
-
US identifies and places $10 million bounty on LockBit, Hive ransomware kingpinNews Mikhail Pavlovich Matveev was linked to specific ransomware attacks, including a 2021 raid on the DC police department
