The Government Accountability Office has released a report right after an evaluation of the organizational strategy to the U.S. Department of Health and Human Services (HHS)cybersecurity.
The study was done because both the HHS and the healthcare and public health field are greatly reliant on information systems to finish their missions, including giving healthcare services and responding to state health emergencies. In case of disruption of any data systems, it can have significant implications for the HHS and healthcare sector organizations and may be devastating for U.S. citizens who depend on their services.
A cyber attack causing the dysfunction of IT systems used in pharmacies, hospitals, and physicians’ offices would hinder the approval and distribution of the life-saving medicines and other items needed by patients and medical facilities.
The HHS should execute safeguards to protect its computer networks from cyber attackers seeking to get sensitive data to commit fraudulence and identity theft, execute attacks to interrupt operations or obtain access to networks to start attacks on other computer systems. All through the pandemic, a lot of threat actors and APT groups have targeted the medical care field, with the GAO mentioning that the FBI and CISA have given several notifications in the last 12 months regarding cyber threats particularly targeting medical and public health entities.
The GAO reports that the HHS has identified roles and duties, which is important for efficient collaboration; nevertheless, there were a number of areas where enhancements can be made, primarily regarding venture with its partners.
HHS working groups were evaluated on the degree to which they showed Leading Practices for Collaboration. All seven of the HHS working groups satisfied the Leading Practices: Bridge organizational cultures, determine leadership, include pertinent individuals in the group, identify sources. 6 working groups fulfilled the Leading Practices: Clarify functions and obligations and document and frequently update written guidance and agreements, and five groups satisfied the Leading Practice: Define and monitor outcomes and accountability.
The GAO produced seven recommendations on how the HHS can enhance collaboration and coordination inside the HHS and with the medical care industry.
The HHS Secretary must command the CIO to coordinate cybersecurity threat information sharing between the Health Sector Cybersecurity Coordination Center (HC3) and the Healthcare Threat Operations Center (HTOC).
The HHS Secretary ought to order the CIO to keep track of, assess, and report on the progress and efficiency of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
The HHS Secretary must command the Assistant Secretary for Preparedness and Response to monitor, examine, and report on the development and effectiveness of the Government Coordinating Council’s Cybersecurity Working Group and HHS Cybersecurity Working Group.
The HHS Secretary needs to order the CIO to routinely track and update written agreements showing how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will help collaboration, and make sure that authorizing officers evaluate and approve the up-to-date agreements.
The HHS Secretary must order the Assistant Secretary for Preparedness and Response to make certain that authorizing officers examine and approve the charter describing how the HHS Cybersecurity Working Group will assist in collaboration.
The HHS Secretary need to direct the Assistant Secretary for Preparedness and Response to complete written agreements that contain a description of how the Government Coordinating Council’s Cybersecurity Working Group is going to work together; determine the roles and duties of the working group; check and update the written agreements regularly, and make sure that authorizing representatives leading the working group accept the finished agreements.
The HHS Secretary must order the Assistant Secretary for Preparedness and Response to have an updated charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year and make certain that approving officers in charge of the working group review and say yes to the updated charter.
The HHS concurred with six of the recommendations and did not agree with one. The HHS is presently taking action to address the 6 recommendations it agreed with. The HHS didn’t concur with the suggestion to coordinate cybersecurity data sharing between HC3 and HTOC.