–
61 KB – 74 Pages
PAGE – 2 ============
United States Government Accountability Office Highlights o f GAO -21-403, a report to congressional requesters June 2021 CYBERSECURITY HHS Defined Roles and Re sponsibilities, but Can Further Improve Collaboration What GAO Found The Department of Health and Human Services ™ (HHS ) Office of Information Security is responsible for managing department -wide cybersecurity. HHS clearly defined responsibilities for the divisions within that office to , among other things, document and implement a cybersecurity program, as required by the Federal Information Security Modernization Act of 2014 . For health care and public health critical infrastructure sector cybersecurity , HHS also defined responsibilities for five HHS entities . Among these entities are the Health Sector Cybersecurity Coordination Center , which was established to improve cybersecurity information sharing in the sector , and the Healthcare Threat Operations Center , a federal interagency program co-led by HHS and focused on, among other things, providing descriptive and ac tionable cyber data. Private -sector partners that receive information provided by the Health Sector Cybersecurity Coordination Center informed GAO that they could benefit from receiving more actionable threat information . However, this center does not routinely receive such information from the Healthcare Threat Operations Center , and therefore is not positioned to provide it to sector partners. This lack of sharing is due , in part , to HHS not describing coordination between the two entities in procedur es defining their responsibilities for cybersecurity information sharing . Until HHS formalizes coordination for the two entities , they will continue to miss an opportunit y to strengthen information sharing with sector partners . Further , HHS entities led , or participated in , seven collaborative groups that focused on cybersecurity in the department and healthcare and public health sector . The se entities regularly collaborated on cyber response efforts and provided cybersecurity information, guidance, and resources through these groups and other means during COVID -19 between March 2020 and December 2020. In addition, t he HHS entities coordinate d with the Department of Homeland Security™s Cybersecurity and Infrastructure Security Agency (CISA) to address cyb er threats associated with COVID -19. Further, the HHS entities fully demonstrated consistency with four of the seven le ading collaboration practices that GAO identified , and partially addressed the remaining three (see table). Until HHS takes action to fully demonstrate the remaining three leading practices, it cannot ensure that it is improving cybersecurity within the department and the healthcare and public health sector . Extent to Which the Department of Health and Human Services (HHS) Demonstrated L eading Practices for Collaborating Leading practice Extent to which the HHS working groups demonstrated the leading practice Define and track outcomes and accountability ˛‰ – five groups met this practice Bridge organizational cultures Œ all seven groups met this practice Identify leadership Œ all seven groups met this practice Clarify roles and responsibilities ˛‰ – six groups met this practice Include relevant participants in the group Œ all seven groups met this practice Identify resources Œ all seven groups met this practice Document and regularly update written guidance and agreements ˛‰ – six groups met this practice Source: GAO analysis of HHS documentation. | GAO -21-403 View GAO -21-403 . For more information, contact Jennifer R. Franks at (404) 679 -1831 or franks j@gao.gov . Why GAO Did This Study HHS and the healthcare and public health sector rel y heavily on information systems to fulfil l their mission s, includ ing deliver ing healthcare -related services and respond ing to national health emergencies , such as COVID -19. Federal laws and guidance have set requirements for HHS to address cybersecurity within the department and the sector . Federal guidance also require s collaboration and coordination to strengthen cybersecurity at HHS and in the sector . GAO was asked to review HHS™s organizational approach to address cybersecurity. This report discusses HHS ™s roles and responsibilities for department al cybersecurity; HHS™s roles and responsibilities for healthcare and public health sector cybersecurity ; and HHS ™s efforts to collaborate to manage its cybersecurity responsibilities. To perform its w ork , GAO reviewed documentation describin g HHS™s cybersecurity roles and responsibilities , assessed those responsibilities for fragmentation, duplication, and overlap, and evaluated the department™s collaborative efforts against GAO ™s leading practices for collaboration. GAO also interviewed rele vant officials at HHS and CISA, and in the sector . What GAO Recommends GAO is making seven recommendations to HHS to improve its collaboration and coordination within the department and the sector. HHS agreed with six of the recommendations and disagreed with one. GAO continues to believe that all recommendations are appropriate.
PAGE – 3 ============
Page i GAO -21-403 HHS Cybersecurity Letter 1 Background 7 HHS Has Clearly Defined Roles and Responsibilities for Managing the Cybersecurity of the Department 16 HHS Clearly Defined Its Roles and Responsibilities for Supporting HPH Sector Cybersecurity; However, Opportunity for Improving Coordination Exists 22 HHS Entities Regularly Shared Cybersecurity Information during COVID -19, but Can Further Improve Collaboration 28 Conclusions 49 Recommendations for Executive Action 50 Agency Comments and Our Evaluation 51 Appendix I Objectives, Scope, and Methodology 55 Appendix II Department of Health and Human Services™ Cybersecurity -Related Information Sharing Products 61 Appendix III Comments from the Department of Health and Human Services 63 Appendix IV GAO Contacts and Staff Acknowledgments 68 Tables Table 1: Responsibilities for the Three Office of Informatio n Security Divisions Managing the Department of Health and Human Services™ (HHS) Cybersecurity Program, in accordance with Federal Information Security Modernization Act of 2014 (FISMA) 19 Table 2: Roles and Responsibilities of the Department of Health and Human Services (HHS) Entities that Provide Cybersecurity Assistance to the Healthcare and Public Health (HPH) Critical Infrastructur e Sector 24 Table 3: Roles of the Department of Health and Human Services™ (HHS) Cybersecurity -Focused Collaborative Groups Contents
PAGE – 4 ============
Page ii GAO -21-403 HHS Cybersecurity Supporting Cybersecurity Management at the Department and Coordination in the Healthcare and Public Health (HPH) Sector 29 Table 4: E xamples of Cybersecurity -related Products Shared by Department of Health and Human Services (HHS) Entities 33 Table 5: Examples of t he Department of Health and Human Services™ Cybersecurity Collaborative Groups™ Actions that were Generally Consistent with the Leading Practices for Collaboration 37 Table 6: Extent to Which the Department of Health and Human Services™ Cybersecurity Collaborative Groups Demonstrated Leading Practices for Collaboration 38 Table 7: Goals of Collaborative Groups led by the HHS Office of Information Security and Office of the Assistant Secretary for Preparedness and Response (ASPR) 39 Table 8: Information Sharing Products Used by the Department of Health and Human Services (HHS) Entities to Help Strengthen Cybersecurity within the Department and Healthcare and Public Health (HPH) Critical Infrastructure Sector 61 Figure Figure 1: Structure of the Department of Health and Human Services (HHS) Office of the Chief Information Officer™s Office of Information Security 18
PAGE – 5 ============
Page iii GAO -21-403 HHS Cybersecurity Abbreviations ASPR Assistant Secretary for Preparedness and Response BARDA Biomedical Advanced Research and Development Authority CDC Centers for Disease Control and Prevention CISA Cybersecurity and Infrastructure Security Agency CISO Chief Information Security Officer COVID -19 Coronavirus Disease 2019 CSIRC Computer Security Incident Response Center DHS Department of Homeland Security FBI Federal Bureau of Investigation FDA Food and Drug Administration FedRAMP Federal Risk and Authorization Management Program FISMA Federal Information Security Modernization Act of 2014 HC3 Health Sector Cybersecurity Coordination Center HHS Department of Health and Human Services HIPAA Health Insurance Portability and Accou ntability Act of 1996 HITECH Act Health Information Technology for Economic and Clinical Health Act HPH Healthcare and Public Health HTOC Healthcare Threat Operations Center IT information technology NIH National Institutes of Health NIST National Institute of Standards and Technology OCIO Office of the Chief Information Officer ONC Office of the National Coordinator for Health Information Technology PPD 21 Presidential Policy Directive 21 TRACIE Technical Resources, Assistance Center, and Info rmation Exchange This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
PAGE – 6 ============
Page 1 GAO -21-403 HHS Cybersecurity 441 G St. N.W. Washington, DC 20548 June 28 , 2021 Congressional Requesters The Department of Health and Human Services (HHS) and the organizations that make up the Healthcare and Public Health (HPH) critical infrastructure sector rely heavily on information technology (IT) systems to im plement their programs and deliver health and healthcare -related goods and services to the public. 1 For example, HHS currently relies on its HHS Protect platform to provide a holistic view of the U.S. healthcare system to guide the nation ™s response to the Coronavirus Disease 2019 (COVID -19). 2 HHS also relies on interconnected IT systems to make operational decisions on the delivery of health and social services. These systems, operated by the department and the HPH sector organizations, process critical se nsitive data, such as personally identifiable information and protected health information. 3 1The Critical Infrastructure Protection Act of 2001 defines ficritical infrastructure fl as systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these. 42 U.S.C. §5195c(e). In 2003, the federal government established the Healthcare and Public Health (HPH) sector as a critical infrastructure sector in the United States, recognizing that its security and resilience are essential to national security, the e conomy, and public health and safety. Since that time, the HPH sector ™s partnerships with relevant private sector owners, operators, and professional associations and government representatives at the federal, state, and local levels have strengthened. 2HHS Protect is a secure data ecosystem that is intended to facilitate the collection, sharing, and analyzing of near real -time COVID -19 data. It integrates information from more than 200 datasets from federal, state, and local governments and commercial sour ces. 3Personally identifiable information is any information that can be used to distinguish or trace an individual ™s identity, such as name, date, place of birth, and Social Security number. It also includes other types of personal information that can be linked to an individual, such as medical, educational, financial, and employment information. The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations define protected health information as individually identifiable health information and includes information collected from an individual, including demographic information, that 1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; 2) relates to the past, present, or future physical or mental health condition of the an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and 3) identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Letter
PAGE – 8 ============
Page 3 GAO -21-403 HHS Cybersecurity effectively collaborated to manage their cybersecurity responsibilities, including COVID -19 cyber response efforts. To address the first and second objectives, we considered a key principle of an effective control environment on management establishing an organizational structure, assigning responsibility, and delegating authority to achieve the entity ™s objectives. 8 To determine how HHS determined its entities ™ roles and responsibilities to meet its cybersecurity objectives, we analyzed relevant HHS documentation, such as organizational charts, for the full department, as well as for the Office of the Chief Information Officer (OCIO), Office of the Assistant Secr etary for Preparedness and Response (ASPR), and Office of the National Coordinator for Health IT; departmental cybersecurity -related policies and procedures; strategic and operational plans; and HPH sector plans. In reviewing these documents, we identified the HHS entities (e.g., offices, divisions, or centers) that had been assigned roles for managing cybersecurity within the department and for assisting with cybersecurity efforts in the HPH sector. We also reviewed HHS cybersecurity policies and procedure s and strategic and operational plans, as well as HPH sector plans , to identify the responsibilities required to carry out the identified roles . We assessed the roles and responsibilities of the entities in comparison to the eight FISMA -defined elements of a cybersecurity program (discussed later in this report), and federal requirements related to cybersecurity in the HPH sector. In addition, we used the steps recommended by GAO ™s fragmentation, overlap, and duplication evaluation guide to identify whether there was any fragmentation, overlap, or duplication in the responsibilities of the entities we identified with roles in cybersecurity. 9 Specifically, we analyzed HHS documentation describing the entities ™ cybersecurity responsibilities to determine the: entities ™ goals and outcomes; entities ™ defined roles and responsibilities; relationships among the entities; 8GAO, Standards for Internal Control in the Federal Government, GAO -14-704G (Washington, D.C.: Sept. 10, 2014). 9GAO, Fragmentation, Overlap, and Duplicati on: An Evaluation and Management Guide, GAO -15-49SP (Washington, D.C.: Apr. 14, 2015).
PAGE – 9 ============
Page 4 GAO -21-403 HHS Cybersecurity effects of any identified fragmentation, overlap, or duplication in the entities ™ roles and responsibilities; and means by which the entities coul d increase efficiency and reduce or better manage the fragmentation, overlap, or duplication. Further, we interviewed senior officials in HHS ™s OCIO, ASPR, and the Office of the National Coordinator for Health IT to verify that the HHS entities we identifi ed had significant roles in managing the department ™s cybersecurity and in assisting the HPH sector with cybersecurity. We also discussed these officials ™ responsibilities for fulfilling those roles. To address the third objective, we assessed control acti vities related to two key internal control principles that management should design control activities to achieve objectives and respond to risks, and implement control activities through the policies. 10 Specifically, we assessed the department ™s efforts to use collaboration to manage its cybersecurity responsibilities by reviewing documentation of the management and operations of collaborative groups involved in addressing cybersecurity within the department and HPH sector. To do this, we identified the gro ups that the HHS entities told us they used for cybersecurity collaboration within the department and HPH sector. We then selected for review, the seven cybersecurity -focused groups for which the HHS entities maintained operational documentation (i.e., cha rters and concepts of operation). 11 These collaborative groups were the HHS Chief Information Security Officer Council HHS Cloud Security Working Group HHS Continuous Monitoring and Risk Scoring Working Group 10 GAO -14-704G 11 HHS officials in OCIO ™s Office of Information Security informed us that there are several working groups chartered under the Chief Information Security Officer Council. Those working groups include the Federal Information Security Modernization Act and the Cybersecurity Awareness, Training , and Education working groups. In addition, the six HHS operating divisions that we selected for this review informed us of other cybersecurity -related working groups, such as the HHS Incident Response Team, HHS IT Strategic Workforce, HHS Cybersecurity W orkforce Development, Cyber Threat Coordination working groups, and others. However, the officials in the Office of Information Security did not provide charters or other documentation describing the operation of these working groups.
PAGE – 10 ============
Page 5 GAO -21-403 HHS Cybersecurity Healthcare Threat Operations Center HHS Cybersecurity Working Group HPH Sector Government Coordinating Council ™s Cybersecurity Working Group Joint HPH Cyber Working Group We reviewed charters and concepts of operation for thes e collaborative groups to assess the management and operation of each group against seven leading collaboration practices that were identified in our prior work. 12 Those practices were: Outcomes and accountability address whether short – and long -term outcomes have been clearly defined, and the extent tracking and monitoring o f progress in achieving outcomes has been performed. Bridging organizational cultures includes identifying the missions and cultures of the participating organizations in the collaborative groups. Leadership involves designating an individual who will lead the collaborative groups. Clarity of roles and responsibilities addresses whether the collaborative groups have clarified roles and responsibilities. Participants includes ensuring that all relevant participants are involved in the collaborative groups. Resources involves leveraging relevant staff and IT resources to support the operations of the collaborative groups. Written guidance and agreements includes documenting the collaborative groups ™ agreement regarding how they will collaborate and determining ways to continually update and monitor these agreements. To further evaluate the effectiveness of the HHS entities ™ collaborative efforts as part of the third objective, we assessed the entities ™ information sharing processes as they pertain to three key principles of internal control information and communication activities: that management should use quality information to achieve the entity ™s objectives; internally 12 GAO, Results -Oriente d Government: Practices That Can Help Enhance and Sustain Collaboration among Federal Agencies, GAO -06-15 (Washington, D.C.: Oct. 21, 2005) and Managing for Results: Key Considerations for Implement ing Interagency Collaborative Mechanisms, GAO -12-1022 (Washington, D.C.: Sept. 27, 2012).
PAGE – 11 ============
Page 6 GAO -21-403 HHS Cybersecurity communicate the necessary quality information to achieve the entity ™s objectives; and ext ernally communicate the necessary quality information to achieve the entity ™s objectives. 13 Specifically, we obtained documentation, such as flow charts and standard operating procedures, and interviewed senior officials to identify the processes used by th e HHS entities to share cybersecurity information. We then compared the HHS entities ™ information sharing processes to the internal control standards that recommend management to identify relevant information from reliable sources to make informed decisions and address risks; communicate necessary quality information internally and externa lly; and use appropriate methods of communication for internal and external information sharing. We supplemented our analyses by interviewing senior officials from the HHS OCIO, ASPR, and Office of the National Coordinator for Health IT. We obtained inform ation on any challenges they had identified in collaborating with relevant sector partners to implement their roles and responsibilities for department and HPH sector cybersecurity. Further, we interviewed officials charged with leading cybersecurity effor ts in six HHS operating divisions. We obtained these officials ™ perspectives on the HHS entities ™ efforts to implement their roles and responsibilities for managing the department -wide cybersecurity program through its collaborative measures. We selected t he six operating divisions based on the number and type of information systems they operate (i.e., low -, moderate -, and high -impact), 14 as reported in HHS ™s fiscal year 2019 FISMA report. The six operating divisions selected were the Food and Drug Administr ation 13 GAO -14-704G 14 Information systems are categorized according to the magnitude of harm or impact resulting from the system or its information being compromised. The Standards for Security Categorization of Federal Information and Information Systems define three impact levels where the loss of confidential ity, integrity, or availability could be expected to have a limited adverse effect (low), a serious adverse effect (moderate), or a severe or catastrophic adverse effect (high) on organizational operations, organizational assets, or individuals. Federal In formation Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems (Gaithersburg, Md.: February 2004).
61 KB – 74 Pages