GAO: HHS Needs to Improve Cybersecurity Info-Sharing EffortsWatchdog Agency Says Better Collaboration Can Aid Healthcare Sector
The Department of Health and Human Services must improve collaboration among several of its key internal entities, as well as with external partners, in order to bolster cybersecurity threat intelligence sharing in the healthcare and public health sector, says a watchdog agency report.
The Government Accountability Office, in a report issued Monday, says it conducted its study because HHS and the healthcare and public health sector "rely heavily on information systems to fulfill their missions," including delivering healthcare-related services and responding to national health emergencies, such as COVID-19.
"Any disruption in the systems used by HHS and healthcare sector organizations could be catastrophic for the many Americans who rely on their services," the GAO notes.
"For example, a cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities," the GAO writes.
"Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain sensitive information, commit fraud and identity theft, disrupt operations, or launch attacks against other computer systems and networks."
The report notes several government advisories released since the beginning of the pandemic have warned the sector about advanced persistent threats, including a joint cybersecurity alert issued in October 2020 by HHS, the FBI and the Cybersecurity and Infrastructure Security Agency regarding ransomware activity targeting healthcare and public health entities (see: US Hospitals Warned of Fresh Wave of Ransomware Attacks).
Internal, External Collaboration
The GAO found that for healthcare and public health critical infrastructure sector cybersecurity, HHS has defined responsibilities for several key internal entities.
For instance, HHS' Health Sector Cybersecurity Coordination Center, or HC3, was established to improve cybersecurity information sharing in the healthcare sector - while the Healthcare Threat Operations Center - a federal interagency program co-led by HHS, focuses on activities such as providing descriptive and actionable cyber data.
But weaknesses in the coordination and collaboration between the two entities hamper the richness of potential cyber information sharing that could ultimately help the healthcare and public health sector respond to cyberthreats, the GAO notes.
"Private-sector partners that receive information provided by the HC3 informed GAO that they could benefit from receiving more actionable threat information," the report notes. "However, [HC3] does not routinely receive such information from the Healthcare Threat Operations Center, and therefore is not positioned to provide it to sector partners," the GAO writes.
"This lack of sharing is due, in part, to HHS not describing coordination between the two entities in procedures defining their responsibilities for cybersecurity information sharing. Until HHS formalizes coordination for the two entities, they will continue to miss an opportunity to strengthen information sharing with sector partners," the GAO writes.
The report makes seven recommendations to HHS on how it can improve collaboration and coordination within the department and with the sector. HHS agreed with six of the recommendations and disagreed with one.
Most of the recommendations focus on steps HHS should take to strengthen coordination and collaboration between specific HHS divisions, centers, offices and working groups.
For instance, GAO recommends that the Secretary of HHS should direct HHS' CIO to coordinate cybersecurity information sharing between the HC3 and the Healthcare Threat Operations Center.
Former healthcare CIO David Finn, executive vice president at security and privacy consultancy CynergisTek and a member of a cyber task force created under the Cybersecurity Act of 2015 to advise HHS, says collaboration within HHS agencies - and between HHS and the larger healthcare sector - on cybersecurity issues is critical.
"Cybersecurity … at the end of the day is about people - their awareness of issues, weaknesses, needs and an understanding of what to do when something is amiss, something is wrong or just does not seem right or make sense," he says.
"Sharing actual experiences, events and how they were dealt with will improve things not only for those receiving that information, but those sharing it will get new insights and ideas from those they share with. Why try to solve a problem that someone has already figured out? No two answers will ever be the same, but what a huge jump-start it can provide to know what others have done."
Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center - an external group that works with HHS for cyber intelligence sharing in the healthcare sector - offers a similar assessment.
"We all have a role to perform in helping to protect the healthcare sector," Weiss says "There's no one thing and not one entity an organization can turn to to improve their cybersecurity," he says.
"From the private sector and Health-ISAC perspective, we look to HHS and HC3 to help inform us about cyber threats, adversary tactics, and attack trends," he says. As an example, HC3 publishes guidance on cybersecurity best practices and informative threat updates that the H-ISAC shares with its community, according to Weiss.
Health-ISAC and HC3 are collaborating on the development of cybersecurity exercises, or "mini drills," that the two can quickly organize and execute for the sector, Weiss says.
"The idea is to conduct these smaller exercises and benefit by learning where our gaps are in our own respective incident response plans, practices and communications and then update those plans so we can constantly improve."
Weiss is slated to speak at the upcoming ISMG Virtual Cybersecurity Summit: Government on a panel discussion about cyberthreat information sharing in the healthcare sector, along with William Welch, cyber engagement lead of HHS' HC3.