About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

GAO-25-107755 1 (2024-11-13)

handle is hein.gao/gaoran0001 and id is 1 raw text is: The Big Picture What GAO's Work Shows Over the last several years, there have been increased cyberattacks in the healthcare and public health critical infrastructure sector. Recently, in February 2024, Change Healthcare (a health payment processor) became the victim of a ransomware cyberattack that involved the theft of data resulting in estimated losses of $874 million and widespread impacts on healthcare providers and patient care. Illustration of Example Ransomware Cyberattack Impacts Disruptrons to hospital operations an,eIHAtion of urgent :re .iferies ;nceIlafion radJiology poI)rntmnents 1b1it to-- provide ierq rc care ources: GAO analysis of publicly reported incideru information, GAO (sign); archipoch/stock ado- be.com (ospital) elenabsu/stock adobe com (images) I GAO-25-107755 As the lead federal agency for the healthcare and public health sector, HHS is responsible for strengthening cybersecurity in the sector. These responsibilities include coordinating with the Cybersecurity and Infrastructure Security Agency (CISA), the national coordinator for critical infrastructure security and resilience. Our prior work has highlighted HHS' challenges in carrying out its lead responsibilities for sector cybersecurity. The department has not yet implemented all our recommendations to address these challenges. Supporting Healthcare Cyber Risk Management HHS has several initiatives intended to mitigate ransomware risks for healthcare and public health. Nevertheless, our prior work has found that the department had not adequately monitored the sector's implementation of ransomware mitigation practices. For example, in January 2024, we reported that HHS released results of an analysis of U.S. hospitals' cybersecurity. Among other things, the analysis found that participating hospitals had self- assessed that they had adopted 70.7 percent of the National Institute of Standards and Technology Cybersecurity Framework's functional areas of identify, detect, protect, respond, and recover. However, at the time of our report, HHS was not yet tracking adoption of the ransomware-specific practices outlined in the framework. Although HHS officials told us that they would be able to assess implementation of key concepts in the framework, the department did not provide evidence of its efforts to do so. Without full awareness of the sector's adoption of cybersecurity practices, HHS risks not directing resources where needed. > We recommended that HHS, in coordination with CISA and sector entities, determine the sector's ocrity - that help reduce ransomware risk. GAO-25-107755 Healthcare Cyversecurity

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Contact us for annual subscription options:

Contact Us

Already a HeinOnline Subscriber?

Log In

profiles profiles most