GAO-25-107755 Healthcare Cyversecurity
Healthcare Cybersecurity: HHS Continues to Have
as Lead Agency
GAO-25-107755 · November 2024
As the lead federal agency for the healthcare and public health critical infrastructure sector, the
Department of Health and Human Services (HHS) has faced challenges in carrying out its cybersecurity
responsibilities. Implementing our related prior recommendations can help HHS in its leadership role.
The Big Picture
Over the last several years, there have been
increased cyberattacks in the healthcare and public
health critical infrastructure sector. Recently, in
February 2024, Change Healthcare (a health
payment processor) became the victim of a
ransomware cyberattack that involved the theft of
data resulting in estimated losses of $874 million and
widespread impacts on healthcare providers and
patient care.
Illustration of Example Ransomware Cyberattack Impacts
A
s the lead federal agency for the healthcare and
public health sector, HHS is responsible for
strengthening cybersecurity in the sector. These
responsibilities include coordinating with the
Cybersecurity and Infrastructure Security Agency
(CISA), the national coordinator for critical
infrastructure security and resilience.
What GAO’s Work Shows
Our prior work has highlighted HHS’ challenges in
carrying out its lead responsibilities for sector
cybersecurity. The department has not yet
implemented all our recommendations to address
these challenges.
Supporting Healthcare Cyber Risk Management
HHS has several initiatives intended to mitigate
ransomware risks for healthcare and public health.
Nevertheless, our prior work has found that the
department had not adequately monitored the
sector’s implementation of ransomware mitigation
practices. For example, in January 2024, we reported
that HHS released results of an analysis of U.S.
hospitals’ cybersecurity. Among other things, the
analysis found that participating hospitals had self-
assessed that they had adopted 70.7 percent of the
National Institute of Standards and Technology
Cybersecurity Framework’s functional areas of
identify, detect, protect, respond, and recover.
However, at the time of our report, HHS was not yet
tracking adoption of the ransomware-specific
practices outlined in the framework. Although HHS
officials told us that they would be able to assess
implementation of key concepts in the framework, the
department did not provide evidence of its efforts to
do so. Without full awareness of the sector’s adoption
of cybersecurity practices, HHS risks not directing
resources where needed.
We recommended that HHS, in coordination wit
h
C
ISA and sector entities, determine the sector’s
adoption of leading cybersecurity practices that
help reduce ransomware risk.