The exterior of the U.S. Department of Health and Human Services in Washington. (Photo by Alex Wong/Getty Images)

As the Department of Health and Human Services moves toward greater interoperability across the healthcare sector, the agency must make greater efforts to modernize its approach to cybersecurity, according to a new report from the Office of the Inspector General.

The report, "Top Management and Performance Challenges Facing HHS," details the complex challenges facing the healthcare regulator, with a section dedicated to cybersecurity concerns.

OIG found that HHS has taken strides to improve its posture, particularly after the Biden administration’s May 2021 executive order directing federal agencies to “fundamentally and systemically change their approach to cybersecurity.”

HHS is currently in the process of finalizing its strategic plan, but the path forward has been wrought with challenges faced across the government and healthcare sectors: persistent cybersecurity threats. And the report notes that it will “require significant investments in resources as well as cultural and organizational change.”

HHS has long struggled to meet the challenges facing its information security program, with yearly reports from both OIG and the Government Accountability Office consistently deeming the program “not effective," under the Federal Information Security Modernization Act (FISMA) metrics. 

Released in April, the last OIG audit found HHS failed to meet the "managed and measurable" maturity level for all five elements for the identifying, protecting, detecting, and recovering function elements required by Department of Homeland Security guidance and FISMA.

Namely, HHS struggled with its supply chain risk management, which HHS “only assessed at the domain level and [it was] not factored into the conclusion of the function or overall effectiveness of HHS information security program for FY 2021 in accordance with the IG FISMA Reporting Metrics guidance.

Overall, risk management was not yet at a managed and maturity level, which led to the OIG’s negative assessment.

HHS operating environment adds to complexity of meeting requirements

HHS is looking to rectify these vulnerabilities to meet the executive order’s requirements for federal agencies on specific cybersecurity standards and objectives by the end of fiscal year 2024, which includes the adoption of a zero trust security architecture approach. 

To meet these requirements, HHS must make serious organizational changes in how it implements security across its divisions and programs to ensure its assets and resources are protected at all times.

However, OIG noted that the “persistent and growing cybersecurity threats exacerbate the challenges facing HHS associated with data and technologies used to carry out the vital health and human service missions” of its divisions. If these threats aren’t mitigated, HHS program operations and the health and welfare of individuals it services will remain at risk.

In fact, HHS operating divisions faced numerous sophisticated phishing and business email compromise attacks on its employees this year alone, which OIG expects to worsen into the foreseeable future — especially as more devices and technologies are introduced into the network.

The report notes that HHS’ challenges are “multifaceted and complex because program needs and timeliness often compete with cybersecurity controls and capabilities.” OIG noted that HHS will need to require its divisions to “take a risk-based approach for rapid system development and deployment” if it hopes to meet the executive requirements and reduce risk.

As part of the needed shift, HHS will need to better understand the current risk presented by ongoing cybersecurity threats and the value of protecting technology and data.

The agency is also facing the persistent challenge brought on by a federated nature of IT and cybersecurity environments: a “vast network of interdependent, increasingly digital health, social, and administrative services.” At this scale, HHS must simultaneously address the range of cybersecurity requirements alongside its specific data and technological needs.

The report shows that 24 of the 28 National Institutes of Health receive congressional funding and administer their own budgets, with their own leadership, while its Indian Health Services uses a decentralized environment for its headquarters, offices, and care sites with their own health mandates as they provide direct patient care.

“This type of environment poses challenges to IHS’s ability to assess, manage, and respond to cybersecurity threats, as well as modernize cybersecurity approaches in order to become resilient in the face of persistent threats,” the report authors wrote. HHS also has thousands of contractors, grantees, and other partners with their own cybersecurity capabilities.

These all exacerbate the complexity of securing the environment, and as the datasets created by all of these partners “continue to grow, the ability to prevent bad actors from directly and indirectly inferring personally identifiable information is a challenge.”

What’s more, OIG believes the ownership of this data is sometimes unclear and stressed that HHS must improve these key areas to ensure all partners are using adequate data protections and developing a risk-based approach

HHS is working to finalize its data strategy to approve how it collects, manages, shares, and secures its data, as it expands its technological capabilities and refines “its approach to influence and shape how other entities use technology.” Among its challenges are the large amounts of critical data from disparate sources “on an unprecedented scale.”

OIG believes it’s imperative for the agency to manage these challenges and make “foundational improvements.”

“Continued modernization of HHS data and technology capabilities is needed for HHS and its divisions to fulfill their missions, improve situational awareness, and better prepare for future public health threats and emergencies,” according to the OIG report.