Cybersecurity: HHS Defined Roles and Responsibilities, but Can Further Improve Collaboration
Fast Facts
Health care organizations' IT systems are critical to the nation's well-being. Cyberattacks on them could, for example, put patient privacy at risk or disrupt essential telehealth services. (The nation's cybersecurity is on our High Risk List.)
The Department of Health and Human Services coordinates with health care organizations and others to support cybersecurity efforts. Its policies and procedures clearly describe roles and responsibilities, which is good for collaboration.
But we found areas where HHS could improve collaboration, such as by routinely sharing threat information with its partners.
Our recommendations address these issues.
Highlights
What GAO Found
The Department of Health and Human Services' (HHS) Office of Information Security is responsible for managing department-wide cybersecurity. HHS clearly defined responsibilities for the divisions within that office to, among other things, document and implement a cybersecurity program, as required by the Federal Information Security Modernization Act of 2014.
For healthcare and public health critical infrastructure sector cybersecurity, HHS also defined responsibilities for five HHS entities. Among these entities are the Health Sector Cybersecurity Coordination Center, which was established to improve cybersecurity information sharing in the sector, and the Healthcare Threat Operations Center, a federal interagency program co-led by HHS and focused on, among other things, providing descriptive and actionable cyber data. Private-sector partners that receive information provided by the Health Sector Cybersecurity Coordination Center informed GAO that they could benefit from receiving more actionable threat information. However, this center does not routinely receive such information from the Healthcare Threat Operations Center, and therefore is not positioned to provide it to sector partners. This lack of sharing is due, in part, to HHS not describing coordination between the two entities in procedures defining their responsibilities for cybersecurity information sharing. Until HHS formalizes coordination for the two entities, they will continue to miss an opportunity to strengthen information sharing with sector partners.
Further, HHS entities led, or participated in, seven collaborative groups that focused on cybersecurity in the department and healthcare and public health sector. These entities regularly collaborated on cyber response efforts and provided cybersecurity information, guidance, and resources through these groups and other means during COVID-19 between March 2020 and December 2020. In addition, the HHS entities coordinated with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to address cyber threats associated with COVID-19. Further, the HHS entities fully demonstrated consistency with four of the seven leading collaboration practices that GAO identified, and partially addressed the remaining three (see table). Until HHS takes action to fully demonstrate the remaining three leading practices, it cannot ensure that it is improving cybersecurity within the department and the healthcare and public health sector.
Extent to Which the Department of Health and Human Services (HHS) Demonstrated Leading Practices for Collaborating
|
Leading practice |
Extent to which the HHS working groups demonstrated the leading practice |
|
Define and track outcomes and accountability |
◑ - five groups met this practice |
|
Bridge organizational cultures |
● – all seven groups met this practice |
|
Identify leadership |
● – all seven groups met this practice |
|
Clarify roles and responsibilities |
◑ - six groups met this practice |
|
Include relevant participants in the group |
● – all seven groups met this practice |
|
Identify resources |
● – all seven groups met this practice |
|
Document and regularly update written guidance and agreements |
◑ - six groups met this practice |
Source: GAO analysis of HHS documentation. | GAO-21-403
Why GAO Did This Study
HHS and the healthcare and public health sector rely heavily on information systems to fulfill their missions, including delivering healthcare-related services and responding to national health emergencies, such as COVID-19. Federal laws and guidance have set requirements for HHS to address cybersecurity within the department and the sector. Federal guidance also requires collaboration and coordination to strengthen cybersecurity at HHS and in the sector.
GAO was asked to review HHS's organizational approach to address cybersecurity. This report discusses HHS's roles and responsibilities for departmental cybersecurity; HHS's roles and responsibilities for healthcare and public health sector cybersecurity; and HHS's efforts to collaborate to manage its cybersecurity responsibilities.
To perform its work, GAO reviewed documentation describing HHS's cybersecurity roles and responsibilities, assessed those responsibilities for fragmentation, duplication, and overlap, and evaluated the department's collaborative efforts against GAO's leading practices for collaboration. GAO also interviewed relevant officials at HHS and CISA, and in the sector.
Recommendations
GAO is making seven recommendations to HHS to improve its collaboration and coordination within the department and the sector. HHS agreed with six of the recommendations and disagreed with one. GAO continues to believe that all recommendations are appropriate.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Health and Human Services | The Secretary of HHS should direct the Chief Information Officer to coordinate cybersecurity information sharing between the Health Sector Cybersecurity Coordination Center and Healthcare Threat Operations Center. (Recommendation 1) |
Closed – Implemented
In January 2022, HHS provided documentation showing that the department has developed an Information Sharing Policy that sets requirements for the sharing of information from the Healthcare Threat Operations Center (HTOC) to the Health Sector Cybersecurity Coordination Center (HC3). HHS has also developed an information sharing guide that describes how certain data in an HTOC report, such as indicators of compromise, threat information, and sensitive incident data, should be handled before being sent to HC3 and other approved distribution channels. In August 2022, HHS provided examples showing that it is implementing the information sharing policy and guide. Specifically, the department demonstrated that HTOC and HC3 are coordinating cybersecurity information sharing for threat briefings and threat incident notifications.
|
| Department of Health and Human Services | The Secretary of HHS should direct the Chief Information Officer to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group. (Recommendation 2) |
Closed – Implemented
As of April 2024, HHS provided updates on its efforts to monitor, evaluate, and report on the progress of the Chief Information Security Officer (CISO) Council, Information Security Continuous Monitoring Working Group (ISCM, formerly known as the Continuous Monitoring and Risk Scoring Working Group), and Cloud Security Working Group. Specifically, officials provided an updated charter for the CISO Council, which includes the Cloud Security Working Group chartered under it, and the ISCM Working Group. The charters describe these groups' performance monitoring processes that include reporting the progress of initiatives and tracking action items in CISO Council meeting minutes. The CISO Council and ISCM Working group began implementing the performance monitoring processes in February 2024. The February and March 2024 CISO Council Meeting minutes included updates on the Cloud Security and ISCM Working Group efforts. For example, the meeting minutes described the Cloud Security Working Group's efforts to compile and reconcile data for federal cloud security compliance reporting and the ISCM Working Group's efforts to finalize the department's ISCM Strategy Document.
|
| Department of Health and Human Services | The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to monitor, evaluate, and report on the progress and performance of the Government Coordinating Council's Cybersecurity Working Group and HHS Cybersecurity Working Group. (Recommendation 3) |
Open – Partially Addressed
In April 2024, HHS provided an update on its efforts to monitor the progress and performance of the Government Coordinating Council's (GCC) Cybersecurity Working Group and the HHS Cybersecurity Working Group, now called the Healthcare and Public Health (HPH) Sector Risk Management Agency (SRMA) Cyber Working Group. Specifically, the department informed us that the Office of the Assistant Secretary for Preparedness and Response's (ASPR) leadership of the newly established overarching HPH GCC allows the office to oversee, monitor, evaluate, and report on the tasks and projects of the GCC Cybersecurity Working Group. Similarly, HHS stated that ASPR's leadership of the HPH SRMA Cyber Working Group enables the office to monitor the progress of that working group. We will follow up with the department to obtain documentation demonstrating ASPR's oversight of the working groups' progress and performance.
|
| Department of Health and Human Services | The Secretary of HHS should direct the Chief Information Officer to regularly monitor and update written agreements describing how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will facilitate collaboration, and ensure that authorizing officials review and approve the updated agreements. (Recommendation 4) |
Open – Partially Addressed
As of April 2024, the HHS Chief Information Security Officer (CISO) reviewed and approved updates to the charters for the CISO Council, which also covers the Cloud Security Working Group chartered under it, and the Information Security Continuous Monitoring Working Group (ISCM, formerly known as the Continuous Monitoring and Risk Scoring Working Group). The CISO Council charter describes the council's responsibility to support HHS' mandates for implementing cybersecurity tools, technologies, policies, practices, and controls. According to the department, this includes efforts to regularly monitor and update the CISO Council charter, which also covers the Cloud Security Working Group. We will follow up with the department to obtain the final ISCM Strategy document, which the agency stated describes their efforts to regularly monitor the charter for the ISCM Working Group.
|
| Department of Health and Human Services | The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to ensure that authorizing officials review and approve the charter describing how the HHS Cybersecurity Working Group will facilitate collaboration. (Recommendation 5) |
Closed – Implemented
In April 2023, HHS provided an updated charter for the HHS Cybersecurity Working Group, now called the Healthcare and Public Health Sector Risk Management Agency Cyber Working Group, which has been signed by the co-chairs for the working group. The department also provided a decision memo signed by the Deputy Secretary of HHS and Assistant Secretary for Preparedness and Response that approves the HPH SRMA Cyber Working Group charter.
|
| Department of Health and Human Services | The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to (1) finalize written agreements that include a description of how the Government Coordinating Council's Cybersecurity Working Group will collaborate, (2) identify the roles and responsibilities of the working group, (3) monitor and update the written agreements on a regular basis, and (4) ensure that authorizing officials leading the working group approve the finalized agreements. (Recommendation 6) |
Open
As of April 2024, HHS reiterated its assertion that efforts to improve the operations of the Government Coordinating Council's (GCC) Cybersecurity Working Group were paused due to a current effort to evaluate its Sector Risk Management Agency cybersecurity activities, resources, roles, and responsibilities. The department informed us that it would provide updates on a biannual basis as the efforts of the GCC Cyber Working Group progress forward.
|
| Department of Health and Human Services | The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to update the charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year and ensure that authorizing officials leading the working group review and approve the updated charter. (Recommendation 7) |
Open
As of April 2024, HHS informed us that it has not taken any additional actions on this recommendation, and that additional conversations and coordination between the sector's government and private sector leaders will need to occur before the department can move forward with updating the Joint Healthcare and Public Health Cybersecurity Working Group's charter. The department informed us that it would provide updates on a biannual basis as they become available.
|