With cyberattacks on healthcare organizations rising sharply, the U.S. Division of Well being and Human Companies (HHS) faces mounting criticism over its capability to guard this important sector.
A brand new report from the Authorities Accountability Workplace (GAO) discovered that HHS has but to fulfill vital cybersecurity targets, leaving healthcare organizations weak to more and more complicated cyberthreats.
Regardless of HHS’s place because the lead federal company for healthcare cybersecurity, it has made restricted progress in establishing mandatory defenses, notably as ransomware, Web of Issues (IoT) threats, and operational know-how (OT) dangers proceed to evolve, the GAO report concluded.
HHS Function and Unmet Expectations
As the first federal company charged with securing healthcare infrastructure, HHS works with the Cybersecurity and Infrastructure Safety Company (CISA) to coordinate protections for the sector. But the GAO report states there’s a lack of constant oversight and planning.
HHS’s oversight shortcomings, coupled with a failure to implement beforehand advisable safety measures, restrict its capability to safe healthcare data successfully, creating persistent vulnerabilities.
One instance of those vulnerabilities, GAO stated, is the Change Healthcare ransomware assault in early 2024 that uncovered delicate knowledge, disrupted providers, and led to an estimated $874 million in damages. Such incidents showcase the pressing want for stronger management and simpler oversight inside HHS, particularly because the healthcare sector continues to be a first-rate goal for cybercriminals.
The HHS’ shortcomings exposed during the Change Healthcare incident also drew criticism from House members like Sen. Ron Wyden, who urged HHS to raise cybersecurity standards to avert such future incidents.
Additionally learn: Threat Landscape Report: U.S. Healthcare 2024
Lack of Efficient Ransomware Oversight
Ransomware has turn out to be a persistent menace to healthcare, with assaults resulting in severe disruptions in affected person care and monetary losses.
The GAO report reveals that HHS has not persistently monitored the healthcare sector’s adoption of ransomware mitigation practices, that are important to securing vital methods. With out monitoring adoption or implementation, HHS can’t precisely determine which organizations stay most in danger or direct sources the place they’re most wanted, the GAO stated.
“HHS was not but monitoring adoption of the ransomware-specific practices outlined within the framework. Though HHS officers informed us that they might have the ability to assess implementation of key ideas within the framework, the division didn’t present proof of its efforts to take action.” – GAO
HHS has taken steps to offer sources like steering, coaching, and menace briefings to healthcare entities. Nevertheless, with out concrete monitoring, these sources lack measurable effectiveness.
To handle this, the GAO recommends that HHS coordinate with CISA to judge the sector’s adoption of important cybersecurity practices to cut back ransomware risks. This evaluation would supply HHS with vital insights into areas that want enchancment, permitting it to allocate sources extra successfully and defend weak organizations from ransomware assaults.
Ineffective Help for Sector-Large Cybersecurity
In its function, HHS presents quite a lot of sources, together with paperwork, coaching classes, and briefings, to help healthcare organizations in bolstering cybersecurity. But, the GAO report finds that HHS has not evaluated which types of help are most helpful for healthcare entities.
Because of this, HHS lacks a transparent understanding of whether or not its sources successfully meet the sector’s wants, resulting in communication gaps and delayed menace response instances. The GAO urges HHS to implement evaluation procedures to measure the affect of its help efforts, which might allow it to make knowledgeable changes to its cybersecurity strategy.
Gaps in Threat Assessments for IoT and OT Gadgets
The healthcare sector more and more depends on IoT and OT gadgets—akin to affected person monitoring methods and hospital infrastructure—that create new cybersecurity dangers. Nevertheless, the GAO stated HHS has but to finish a complete threat evaluation overlaying these gadgets.
Though HHS has assessed sure dangers related to IoT in medical gadgets, a broader analysis of sector-wide IoT and OT threats stays lacking. This hole leaves many healthcare organizations with out ample protections in opposition to the vulnerabilities these related gadgets introduce.
“HHS had ongoing threat actions for medical gadgets, a particular sort of IoT machine. Nevertheless, HHS had not carried out a complete sector-wide cybersecurity threat evaluation addressing IoT and OT gadgets. Because of this, the division didn’t know what further safety protections had been wanted to deal with rising and evolving threats.” – GAO
Additionally learn: Vulnerability Management in Healthcare IoT Devices: Best Practices for Securing Medical Equipment
The GAO recommends that HHS broaden its threat assessments to incorporate IoT and OT gadgets comprehensively. Doing so would supply healthcare organizations with a clearer understanding of the place further safety protections are wanted, permitting for better-targeted defenses in opposition to rising threats.
Collaboration and Coordination Challenges
HHS’s Administration for Strategic Preparedness and Response (ASPR) performs an important function in fostering collaboration amongst healthcare organizations to strengthen cybersecurity. Nevertheless, the GAO factors to weaknesses in ASPR’s efforts to guide efficient collaboration, citing unclear targets, undefined tasks, and outdated collaboration charters. These points hamper ASPR’s capability to unite healthcare entities round shared safety targets.
To enhance this, the GAO means that ASPR ought to set clear targets, outline tasks extra exactly, and usually assess collaboration efforts’ progress. This technique would be sure that ASPR’s working teams and collaborations are each environment friendly and efficient, immediately benefiting the sector’s cybersecurity posture.
Harmonizing Conflicting Cybersecurity Necessities for State Businesses
The GAO additionally recognized conflicting cybersecurity necessities between HHS’s Facilities for Medicare and Medicaid Companies (CMS) and different federal businesses, which complicates state-level cybersecurity efforts.
CMS mandates particular cybersecurity practices for state businesses dealing with Medicare and Medicaid knowledge, however these requirements usually conflict with these of different businesses, such because the Social Safety Administration. This creates confusion and provides pointless compliance burdens for state officers, detracting from their concentrate on important cybersecurity efforts.
To handle this subject, the GAO recommends that CMS work with different federal businesses to harmonize cybersecurity necessities. By creating constant requirements throughout businesses, HHS can simplify compliance, serving to state businesses allocate sources extra successfully and strengthen cybersecurity on the state degree.
Prioritizing Complete Cybersecurity Measures
The GAO made it clear that HHS should tackle its ongoing cybersecurity challenges to safeguard the healthcare sector successfully. Implementing the GAO’s suggestions shall be vital to enhancing HHS’s management function, lowering ransomware and IoT-related vulnerabilities, and fostering improved coordination amongst healthcare organizations.
Proactively addressing these points would require HHS to watch the adoption of cybersecurity practices, consider the affect of its help sources, and undertake complete threat assessments, notably for IoT and OT gadgets. By means of a extra strategic strategy, HHS might help healthcare suppliers higher put together for the evolving cyber menace panorama, making certain they’ve the mandatory protections to proceed delivering secure and safe affected person care.
Associated
