HHS Needs to Modernize Its Cyber Approach: Watchdog AgencyDepartment's Federated IT, Many Data Silos Complicate Security Efforts, Report Says
The Department of Health and Human Services faces "significant challenges" in protecting data and technology from cyberthreats and improving how its various related entities share large volumes of critical data, including public health data, a new watchdog report says.
The department's federated IT and cybersecurity approach doesn't make those challenges any easier, says the departmental Office of Inspector General in an annual assessment of management challenges.
HHS is making progress in how it collects, manages, shares and secures its data, but it needs to modernize its data and technology capabilities to improve situational awareness and better prepare for public health threats and emergencies in the future, the report says.
OIG says HHS is finalizing a data strategy intended to focus on addressing challenges related to data sharing, security and privacy. Its execution will depend on dumping data silos and legacy technology that does not easily support modern data governance and standardization, the report warns.
"Some HHS programs rely on decades-old, legacy IT systems with limited data capabilities, which may exacerbate the effect of data silos," the report says.
As HHS updates its technological capabilities, increases data exchange among its various programs and the public, and improves data interoperability in the broader healthcare and public health systems, it also must take crucial steps to modernize its approach to cybersecurity, OIG writes.
President Joe Biden, in a May 2021 executive order, directed federal agencies to change their approach to cybersecurity. The department's Office of Information Security is finalizing its strategic plan in support of that effort, OIG says.
This includes adopting a zero trust security architecture approach, "which requires meaningful organizational change" in how HHS implements security across its divisions and programs, OIG writes.
In the meantime, the federated nature of IT and cybersecurity environments across HHS with its "vast network of interdependent, increasingly digital health, social, and administrative service" presents a persistent challenge for the department, OIG writes.
"The large scale of HHS's mission and IT environments dictates that the Department must simultaneously address a range of dynamic cybersecurity requirements along with the specific data and technological needs for each division or program," OIG writes.
Greg Garcia, executive director at the Health Sector Coordinating Council, a public-private advisory group to HHS, tells Information Security Media Group that it is imperative - for the sake of the healthcare and public health sector at large - that HHS find ways to better coordinate cybersecurity across its many agencies.
"You have all of these operational divisions within HHS," he says. They don't necessarily coordinate on cybersecurity "in a coherent way because they all have their own statutory authorities that they have to answer to," he says. "It's incumbent upon the executive leadership … to find ways to coordinate holistically how HHS is going to address constantly evolving cybersecurity threats against the nation's healthcare system."
In the meantime, persistent and growing cybersecurity threats exacerbate other related challenges HHS faces associated with data and technologies used to carry out vital health and human services program by HHS divisions, OIG writes.
"These threats, if not mitigated, can put critical HHS program operations at risk and potentially impact the health and welfare of individuals served by HHS," OIG writes.
"It is common practice for adversaries to continuously conduct reconnaissance for discovering new systems under development, often to gain understanding of the underlying technologies, data, and potential vulnerabilities that may be exploited."
To help overcome these challenge, HHS and its divisions will need to establish and use a risk-based approach to rapid system development and deployment, OIG says. "This includes understanding the value of protecting technology and data and the risk presented by cybersecurity threats."