GAO report
Government Watchdog Flags Poor Cyber Threat Info Sharing Practice by HHS
The Government Accountability Office found that poor coordination hampered the Department of Health and Human Services’ ability to routinely share cyber threat information with private sector partners.
In its report, GAO attributed the problem to a disconnect between the Healthcare Threat Operations Center, a federal interagency program co-led by HHS that provides descriptive and actionable cyber data, and the Health Sector Cybersecurity Coordination Center, which relays information to industry.
The government watchdog noted that HC3 did not receive threat information regularly from HTOC, FedScoop reported.
HC3 alerts were found to have been lacking critical data from HTOC reports, including details about the internet protocol address used by a malicious actor in an attempted cyberattack.
In addition, coordination responsibilities were not specified in the HTOC Concept of Operations and the HC3 Strategic Plan.
The GAO also quoted a senior HTOC official who said that sharing of “appropriate” information with HC3 happened rarely.
The report comes amid a rise in cyberattacks on health care organizations. Cyberattacks on health care organizations’ information technology systems could endanger patient privacy and disrupt essential telehealth services.
“Safeguarding federal information systems and those systems supporting our nation’s critical infrastructure has been a longstanding GAO concern,” the report stated.
To address the information sharing problem, GAO made seven recommendations to HHS, one of which the agency disagreed with.
HHS agreed to a recommendation requiring the agency chief information officer to report on how the HHS CISO Council, Continuous Monitoring and Risk Scoring Working Group and Cloud Security Working Group will facilitate collaboration within the department.
However, the agency disagreed with a recommendation requiring the HHS CIO to coordinate information sharing between the two centers, citing the high levels of fidelity and sensitivity that surround federal intelligence data.
Category: Federal Civilian