GAO calls on HHS CIO to address cybersecurity deficiencies

The Government Accountability Office, or GAO, published a report outlining outstanding GAO recommendations that the HHS chief information officer and component-level CIOs should address to mitigate cybersecurity risk. GAO regularly publishes CIO recommendations for different government departments in an effort to secure IT systems, improve government programs and identify cost savings.

GAO identified 82 open recommendations under HHS' purview, including 37 that were sensitive and 49 relevant to component-level CIOs. All the recommendations were previously recommended by GAO but resurfaced for this report to remind HHS of the importance of reducing risk in these areas.

"Fully implementing these open recommendations could significantly improve HHS's ability to deter threats and manage its critical systems, operations, and information," GAO stated.

The recommendations largely focus on two high-risk areas identified by GAO: ensuring the cybersecurity of the nation and improving IT acquisitions and management.

Under the former, GAO stressed that the HHS CIO, Clark Minor, and component-level CIOs need to take additional steps to secure records and information systems.

"For example, we recommended that HHS establish a reasonable time frame for when it will be able to digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post those forms on the department's privacy program website," GAO stated.

"Until HHS implements this recommendation, the department will not be able to adequately protect records from improper disclosure."

Additionally, GAO recommended that the department fully implement event logging requirements directed by the Office of Management and Budget, identify duplicative pandemic IT systems, develop privacy impact assessments for public health preparedness and response systems and improve access controls within the National Institutes of Health.

Under the directive of improving IT acquisitions and management, GAO emphasized that HHS continues to struggle with managing and tracking its IT resources.

"We recommended that HHS complete its covered Internet of Things (IoT) inventory within the revised time frame it had proposed," GAO said, referencing a December 2024 report on IoT security gaps.  

"Given the enormous array of disparate devices that may be considered part of IoT, it is important that HHS identifies and documents the devices connected to its information systems. Until HHS implements this recommendation, the department will lack visibility into the IoT devices in its enterprise environment and the ability to mitigate IoT cybersecurity risks."

HHS has largely concurred with GAO's recommendations in the past, though many remain open and unfinished. By appealing to the CIO's specific responsibilities -- including strategic planning and information security -- GAO's report highlighted the work that HHS still needs to do to secure its systems in accordance with GAO's recommendations.

"Your attention to these recommendations will help ensure the secure and effective use of IT at the department," GAO said.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.