Healthcare Sector Fares Well in GAO Review of Cybersecurity Progress

Perhaps in part due to the fact that the healthcare sector has long been focused on information security thanks to the HIPAA privacy and security rules, the Department of Health and Human Services (HHS) fared well in a review by the U.S. Government Accountability Office (GAO) regarding how federal agencies are protecting critical infrastructure from cyber risks.

The GAO's report included a recent high profile attack on a health insurer that potentially compromised the information of 1.1 million customers as one example demonstrating the impact of cyber attacks, and evaluated the efforts of 15 critical infrastructure sectors including the health care and public health sector—which it defined to include providers such as laboratories, insurers, pharmaceuticals, blood and health information technology. The GAO found that HHS addressed eight of nine Call to Action steps identified by the National Infrastructure Protection Plan to improve cybersecurity and mitigate cyber risks. The only Call to Action step which the GAO found the health sector hadn't addressed was "advancing research and development solutions" to improve infrastructure security and resilience.

HHS was, however, one of only three sectors that "established performance metrics to monitor cybersecurity-related activities, incidents, and progress in their sectors." Those metrics included mandatory reporting of data breaches (under the HITECH requirements), HHS monitoring of such breach incidents and use of data breach information to identify "cybersecurity-related trends." HHS also monitors receipt of its security alerts. It is these performance metrics that GAO found lacking in the remaining sectors and the GAO made such metrics the main focus of its recommendations to the other sectors.

Takeaway: As many agencies warn that more needs to be done to address cybersecurity risks, the GAO finds that the healthcare sector is ahead of other sectors in terms of monitoring its cybersecurity performance.