The Government Accountability Office has called on the Department of Health and Human Services to improve how it collects feedback from the health care sector on cybersecurity breach reporting requirements.
In a report issued Monday, the watchdog recommended that the agency’s Office of Civil Rights set up a process to assess the ease with which entities like health plans and health care providers can disclose potential cybersecurity incidents to the federal government.
“[Office of civil rights] OCR has not provided a formal method for covered entities and business associates to provide feedback to about the breach reporting and investigations processes,” said GAO. It added: “Addressing this shortcoming will be an important step toward improving or simplifying aspects of the breach and investigations process and preventing long lapses of communication during ongoing breach reporting investigations.
The pace of information sharing between the private sector and government in the aftermath of a cyberattack remains a concern for federal oversight bodies. In January, an in-depth GAO report pointed to difficulties with information sharing between the government and private sector following the SolarWinds cyberattack in late 2020, as well as problems with interagency communications.
“[A] Senior Technical Director from CISA’s cybersecurity division told us that sharing data received from law enforcement with other agencies and the private sector was challenging,” the report said at the time.
HHS sets and enforces standards for protecting electronic health information, as part of which its office of civil rights enforces Health Insurance Portability and Accountability Act (HIPAA) privacy, security and breach notification rules.
Under the agency’s investigatory authority, the office of civil rights probes and records details of potential cybersecurity breaches.
In March, the president signed into law legislation that would require critical infrastructure owners and operators to report to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 72 hours, when they have suffered a major hack.