Perhaps in part due to the fact that the healthcare sector has long been focused on information security thanks to the HIPAA privacy and security rules, the Department of Health and Human Services (HHS) fared well in a review by the U.S. Government Accountability Office (GAO) regarding how federal agencies are protecting critical infrastructure from cyber risks. The GAO’s report included a recent high profile attack on a health insurer that potentially compromised the information of 1.1 million customers as one example demonstrating the impact of cyber attacks, and evaluated the efforts of 15 critical infrastructure sectors including the health care and public health sector—which it defined to include providers such as laboratories, insurers, pharmaceuticals, blood and health information technology. The GAO found that HHS addressed eight of nine Call to Action steps identified by the National Infrastructure Protection Plan to improve cybersecurity and mitigate cyber risks. The only Call to Action step which the GAO found the health sector hadn’t addressed was "advancing research and development solutions" to improve infrastructure security and resilience. HHS was, however, one of only three sectors that "established performance metrics to monitor cybersecurity-related activities, incidents, and progress in their sectors." Those metrics included mandatory…
