The Department of Health and Human Services has made progress in threat sharing efforts to support cybersecurity within its partnerships and the health care sector. But the Government Accountability Office found areas where HHS could better coordinate its efforts to support department information sharing and overall health IT security.
The HHS Office of Information Security is tasked with managing department-wide cybersecurity, for which the agency has established policies and procedures that clearly outline roles and responsibilities within the agency for documenting and implementing its cybersecurity program.
The elements are required by the Federal Information Security Modernization Act of 2014. FISMA also requires HHS to address cybersecurity within the agency and across the health care sector, while collaborating and coordinating cybersecurity efforts for the industry.
GAO was tasked with reviewing HHS’ cybersecurity approach, in light of the sector’s heavy reliance on information systems to deliver health care services and respond to national health emergencies.
“Given HHS’s knowledge and expertise in providing health care and improving public health, it serves as the lead federal agency responsible for coordinating security and resilience efforts for the health care sector,” according to the report.
"The sector provides services that are essential to maintaining local, national, and global health security,” it added. “COVID-19 has highlighted the need for HHS to pay continuous attention to cyber threats, which pose a serious challenge to national security, economic well-being, and public health and safety.”
The review confirmed HHS soundly collaborates with health care provider organizations and other partners to support cybersecurity efforts.
In the last year alone, HHS has ramped up threat sharing based on insights from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency.
GAO also noted HHS led or participated in seven cybersecurity collaborative groups within the sector, centered on cyber response efforts, as well as providing health care entities with cybersecurity guidance, insights, and resources throughout the pandemic response.
For example, amid the heightened COVID-19-related cyberattacks in the initial months of the pandemic, the HHS Office for Civil Rights released a list of privacy and security resources to help providers bolster security defenses and prevent violations of the the Health Insurance Portability and Accountability Act.
HHS’ alerts were sent via the Health Sector Cybersecurity Coordination Center (HC3), established to improve the sector’s cybersecurity information sharing. HHS also leverages a Threat Operations Center (HTOC), an interagency program that provides descriptive and actionable cyber data.
Further, the agency consistently adheres to four of seven leading collaboration practices identified by GAO.
But the GAO found there are key areas where HHS could make improvements, particularly around actionable threat sharing and better positioning itself to support sector partnerships. HHS’ private sector partners told GAO that they could benefit from the receipt of more actionable threat information.
The audit found the cybersecurity departments within HHS don’t routinely share this type of data, partially as HHS doesn’t include the necessary coordination as part of the departments’ responsibilities.
GAO stressed that as some departments don’t receive actionable threat data, the health sector may not obtain information that could potentially strengthen cyber response and protection efforts.
A review of alerts and reviews sent by these departments showed the HC3 alerts focused on mitigation strategies to support providers with threat mitigation, while the HTOC resources tackled threat information, such as ongoing threat vectors.
To GAO, the sector could benefit from the HC3 sending more actionable threat data to assist with avoiding cyberattacks altogether. However, the HC3 doesn’t use the threat information collected and reported by the HTOC due to a lack of coordination on their threat sharing responsibilities, as it’s not required by HHS policies.
“Until HHS formalizes coordination for the two entities, they will continue to miss an opportunity to strengthen information sharing with sector partners,” according to the report. “Organizations can avoid fragmented, overlapping, and duplicative services and activities by clearly and distinctly defining the roles and responsibilities within those organizations.”
“Organizations with responsibilities in the same broad area of service delivery can strengthen implementation of those responsibilities through coordination,” it continued.
To overcome these challenges and improve threat sharing among the health sector, GAO offered seven recommendations for HHS; of which, HHS agreed with six.
HHS should direct its chief information security officer to coordinate cybersecurity information sharing between the HTOC and HC3, while its chief information officer should be tasked with monitoring, evaluating, and reporting on the progress of internal working groups and other cybersecurity efforts.
The CISO should also be in charge of directing how HHS working groups collaborate and ensure leadership is adhering to agreements on cybersecurity efforts.
In addition, HHS Assistant Secretary for Preparedness and Response (ASPR) should be responsible for monitoring, evaluating, and reporting on the agency's cybersecurity working groups.
GAO also recommended ASPR lead the oversight of how working groups facilitate collaboration, as well as written agreements for collaboration within those groups, identifying roles and responsibilities, monitoring and updating written agreements, and ensuring working group agreements are finalized.
ASPR should also be in charge of updating the charter for the Joint Healthcare and Public Health Cybersecurity Working Group in 2021, ensuring leaderships reviews and approves the updated initiatives.
“HHS stated that it plans to take a number of actions [that] include convening a brainstorming session to consider applicable methods to monitor, evaluate, and report on the progress and performance of the HHS CISO Council,” according to the report.
HHS is in the process of updating, finalizing, and obtaining leadership approval for the Cloud Security Working Group charter, according to the report, and plans to launch a joint effort between ASPR and OCIO to revise the charter for the Government Coordinating Council’s Cybersecurity Working Group.
ASPR and the OCIO are already implementing restructuring efforts for the HHS Cybersecurity Working Group to boost operational efficiency and collaboration across the agency.
Notably, HHS did not concur with the GAO recommendations to improve coordination between the HC3 and HTOC, as officials said there is already close coordination between the groups that take into consideration stakeholders and agreements.
HHS officials explained they don’t believe there are duplicative efforts in regards to threat sharing between those entities. And HTOC partners don’t share threat information outside of the partnership without expressed authorization of the originating agency, “due to the high-level of fidelity and sensitivity that surrounds federal intelligence data.”
GAO doubled-down on its recommendation, noting that enhanced collaboration and defined definitions of responsibilities have been proven to support coordination. And HHS’ assertions around the sensitivity of information preventing threat sharing aren’t supported by federal efforts, including CISA, the Department of Defense, and the Department of Justice.
Improved threat sharing will not only support cyber mitigation within the private sector, it would also better align with federal efforts on threat sharing.
Emsisoft data shows that 32 health care providers have been disrupted by ransomware alone in 2021, so far. The sector has also seen a large number of vendor incidents that have impacted the data belonging to millions of patients.
As small- and medium-sized health care provider organizations are strapped for resources, both in terms of security leadership and technical means, free resources are crucial for these entities to bolster overall cybersecurity defenses.
While HHS works to improve its threat sharing, health care providers should review insights from the Healthcare and Public Health Sector Coordinating Council. The guide is designed to support entities develop and manage cyber threat information sharing programs.
These programs support those with minimal resources through “shared situational awareness,” which enables systems administrators to leverage threat information from similar entities to create defenses able to prevent a recurring event.
“When an organization participates in an information sharing program, they will often learn about attacks and mitigations before they are targeted,” researchers explained, at the time. “Having knowledge about what attacks other firms are facing gives the organization an opportunity to prepare.”
“A chain is only as strong as its weakest link, and in today’s connected health care environment, one of the best ways to increase the strength of the chain is through information sharing programs,” they added.