The U.S. Department of Health and Human Services Office of Inspector General has released its yearly report about the Top Management and Performance Challenges Facing HHS as a guidance for the department to enhance the performance and productivity of its programs. The report talked about a number of cybersecurity issues encountered by HHS, such as not having standardized regulations and controls, which makes HHS’s readiness efforts insufficient to stop and react to cybersecurity risks.
The HHS is a big department with diversified organizational approaches to cybersecurity throughout its different divisions and programs. Although the department has done something to combine cybersecurity capabilities and enhance cybersecurity, HHS-OIG states overall development is generally still dependent on every division and program. Besides, the HHS has thousands of contractors, grantees, and other external agencies. Cybersecurity measures should be enforced inside the HHS and by its contractors, grantees, and external entities. That makes cybersecurity developments particularly difficult, and the capability of the HHS to offset cybersecurity threats is typically reliant on those entities enforcing cybersecurity programs particular to their operations. HHS-OIG stated that protecting data and technology demands more work and not just implementing technical fixes. It requires creating clear goals, updating program guidelines, and performing effective supervision of contractors and grantees of the Department, and other external entities.
The healthcare industry continues to be a major target for cyber actors. There are more ransomware attacks because financially driven threat actors encrypt files and steal information to compel the victims to pay ransom. Cyberattacks are becoming more sophisticated and continually changes. The HHS should be able to respond immediately, notify the industry about exploited vulnerabilities, and help make the industry ready for changing threats.
The HHS has an important part in enhancing cybersecurity throughout the industry and dealing with threats. However, HHS cybersecurity authorities and programs are making HHS’s response efforts difficult. The HHS do not have enough resources for enhancing cybersecurity for the healthcare and public health sector, like the sector’s dependence on older technology and staff challenges. Additionally, privacy and security are monitored by HIPAA, which is over two decades old. HHS-OIG cautioned that the HIPAA Privacy Rule and the HIPAA Security Rule might not be enough to handle current privacy problems and the growing cybersecurity threats to electronic protected health information (ePHI). Therefore, HHS-OIG stated the HHS should adjust as privacy and security requirements advance.
Additional regulation can help regarding this; nevertheless, the HHS is taking too long to sanction updates to the HIPAA Guidelines. HHA proposed a Privacy Rule update under the past Trump administration at the end of 2020. Still, no final rule is published after over five years of its initial proposal. A proposed update on the HIPAA Security Rule to reinforce cybersecurity throughout the sector was also submitted during the Biden administration. The update is included on the HHS’s plan, but it is presently uncertain if the HHS, under the Trump administration, will have the proposed rule released.
HHS-OIG stated the HHS has taken steps to deal with the difficulties it mentioned in the report, yet there are more opportunities for further development. Until the update of the HIPAA Rules are approved, HHS must keep on working within the requirements set in the HIPAA of 1996, the HIPAA Privacy Rule of 2000, and the HIPAA Security Rule of 2003.
Image credit: mehaniq41, Adobestock
