GAO: HHS Should Strengthen Cyber Threat Information Sharing

GAO: HHS Should Strengthen Cyber Threat Information Sharing
Health and Human Services Cyber Threat Information Sharing

The Government Accountability Office (GAO) has recommended that the Department of Health and Human Services (HHS) facilitate threat information sharing to help improve coordination and collaboration on cybersecurity efforts.

GAO made the recommendation after it found that the Health Sector Cybersecurity Coordination Center, one of HHS entities, does not routinely secure threat information from the Healthcare Threat Operations Center, according to a report published Monday.

“This lack of sharing is due, in part, to HHS not describing coordination between the two entities in procedures defining their responsibilities for cybersecurity information sharing,” GAO said in the report. “Until HHS formalizes coordination for the two entities, they will continue to miss an opportunity to strengthen information sharing with sector partners.”

The congressional watchdog also found that HHS entities fully addressed four of the seven leading practices for collaboration and those are bridging organizational cultures, identifying leadership, including relevant participants in the group and identifying resources.

HHS has yet to fully demonstrate the other three collaboration practices identified by GAO: defining and tracking outcomes and accountability, clarifying roles and responsibilities and documenting and updating written guidance and agreements, according to the report.

GAO also called on the department to assess and report on the performance of the HHS’ Chief Information Security Officer Council, Cybersecurity Working Group, Cloud Security Working Group and Continuous Monitoring and Risk Scoring Working Group.

You may also be interested in...

Cybersecurity

DHS, NIST List Goals for Cyber Best Practices

The Department of Homeland Security (DHS) and the National Institutes of Standards and Technology (NIST) have jointly classified cybersecurity practices into nine categories as bases for cyber performance goals. The nine categories each have specific objectives with regard to how secure control systems are operated and deployed, NIST said Thursday.