The Department of Health and Human Services doesn’t routinely share cyber threat information with private sector partners because the two centers responsible haven’t formalized coordination, according to the Government Accountability Office.
GAO found the Healthcare Threat Operations Center, an interagency program providing actionable cyber data, didn’t regularly provide threat information to the Health Sector Cybersecurity Coordination Center (HC3) for sharing with industry.
Private sector partners want more actionable threat information from HC3 with cyberattacks on health care organizations on the rise, since the start of the U.S. COVID-19 response in March 2020, putting patient privacy and telehealth services at risk.
“Given the many players involved in cybersecurity management at the department and in supporting the cybersecurity of the [health care and public health] sector, deliberate and well-organized coordination and collaboration are essential to ensure that efforts are successful,” reads GAO’s report released Monday. “Safeguarding federal information systems and those systems supporting our nation’s critical infrastructure has been a longstanding GAO concern.”
HC3 alerts included mitigation strategies but not information from HTOC reports like the Internet Protocol address used by a malicious actor to facilitate an attempted cyberattack.
Neither the HTOC Concept of Operations nor the HC3 Strategic Plan include specific coordination responsibilities, and a senior HTOC official said it rarely shares “appropriate” information with HC3, according to GAO.
HHS‘s chief information security officer told GAO that HTOC and HC3 coordinate information sharing during daily situational awareness meetings, but those meetings are led by the Computer Security Incident Response Center and coordination wasn’t apparent, according to GAO.
GAO recommended HHS’s chief information officer coordinate information sharing between the two centers, but HHS disagreed with the recommendation arguing already “close coordination” takes into account agreements between private-sector partners and stakeholders.
“[D]ue to the high level of fidelity and sensitivity that surround federal intelligence data and the HTOC federal partner cybersecurity operational data, HTOC partners do not share information outside the partnership without the expressed permission and authorization of the originating agency,” wrote Rose Sullivan, acting assistant secretary for legislation at HHS, in the department’s response.
HTOC receives intelligence data from the Department of Homeland Security, open source data, HC3, and subscription-based intelligence sources.
GAO further found HTOC and six other HHS entities it reviewed only partially addressed three cyber collaboration practices: defining and tracking outcomes and accountability, clarifying roles and responsibilities, and documenting and regularly updating guidance and agreements.
GAO recommended HHS’s CIO report on the progress and performance of the HHS CISO Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group, as well as regularly update collaboration agreements between them with approval.
GAO also recommended the Assistant Secretary for Preparedness and Response do the same for the Government Coordinating Council’s Cybersecurity Working Group and HHS Cybersecurity Working Group, as well as update the charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year.
HHS agreed with those recommendations.