GAO urges HHS to increase oversight of ransomware practices

The U.S. Government Accountability Office (GAO) issued recommendations to HHS surrounding its oversight of ransomware practices across the sector in a recent report. The report assessed four federal agencies, including HHS, to evaluate each agency’s efforts to oversee sector adoption of leading cybersecurity practices. 

GAO chose to focus on four critical infrastructure sectors in particular – critical manufacturing, energy, health care and public health, and transportation systems – because half of the cyber incidents tracked by the FBI in 2022 impacted these four sectors. 

“The four selected sectors’ adoption of leading practices to address ransomware is largely unknown,” GAO noted. “None of the federal agencies designated as the lead for risk management for selected sectors have determined the extent of adoption of the National Institute of Standards and Technology’s recommended practices for addressing ransomware. Doing so would help the lead federal agencies be a more effective partner in national efforts to combat ransomware.” 

The report was informed by publicly disclosed ransomware incidents, vendor research on ransomware attacks, data from the Cybersecurity and Infrastructure Security Agency (CISA) and interviews with sector risk management agency (SRMA) officials. 

GAO’s main objectives were to: 

• Describe the reported impact of ransomware attacks on selected critical infrastructure sectors 

• Assess SRMAs’ efforts to oversee selected sectors’ adoption of leading federal practices to prevent and respond to ransomware attacks 

• Evaluate the extent to which SRMAs for selected sectors assessed ransomware risks and the effectiveness of their support to help owners and operators address threats. 

For health care, GAO explored the ways in which ransomware attacks can disrupt operations, resulting in an inability to provide emergency care and cancellations of urgent care surgeries and appointments. 

When it comes to how SRMAs collect data on ransomware impacts, results varied across the assessed sectors, leading GAO to determine that further efforts by federal agencies are needed to understand ransomware’s impacts. 

“HHS officials asserted that it collects incident data on the health care and public health sector via phone calls and emails with federal partners and direct connections with impacted private sector entities when possible. HHS noted that it focuses on the technical aspects of the attack when available (e.g., tactics, techniques, and procedures; and indicators of compromise) as well as the impacts to the facility and patient care,” GAO stated. 

“To help gather information about impacts to patient care, HHS developed a standardized set of questions to ask about cyber incidents in the sector. However, HHS did not provide supporting documentation to corroborate its assertions that it collects and analyzes incident data.” 

Further analysis from GAO found that while HHS has made considerable efforts to assess cyber resiliency and measure adoption of the NIST CSF, it had not yet tracked the extent of adoption of ransomware-specific practices. 

However, the report did highlight the sector’s use of the Health Industry Cybersecurity Practices (HICP), which outlines best practices for small, medium, and large health care organizations and plays a key role in reducing risk. 

GAO made 11 recommendations to the four agencies as a result of its analysis, two of which were directed toward HHS. First, GAO recommended that HHS work with CISA and other sector entities to “determine the extent to which the health care and public health sector is adopting leading cybersecurity practices that help reduce the sector’s risk of ransomware.” 

Second, GAO recommended that HHS develop routine evaluation procedures to measure the effectiveness of federal support in reducing the risk of ransomware in health care. 

HHS agreed with GAO’s recommendations but stated that it believes it has already met some of GAO’s requests based on its prior work with the HHS landscape analysis and toolkit. 

“However, HHS is not yet tracking the sector's adoption of specific practices that reduce ransomware risk,” GAO added. “If effectively implemented, HHS's plan to further evolve its activities and strategies could meet the intent of our recommendation and encourage the department to continue to strengthen its efforts in this regard. As such, we believe our recommendation is still valid.”