The U.S. Government Accountability Office wrote to Health and Human Services Chief Information Officer (CIO) Clark Minor, calling his attention about the recommendations for the present open cybersecurity and IT management.
As a non-partisan agency, GAO works for Congress and gives assistance to ensure it fulfills its constitutional duties and helps enhance the efficiency and meet the responsibilities of the national government. GAO gives recommendations for bettering the government’s efficiency in IT and associated IT management features, which include advice for the HHS; however, many of those suggestions are not yet enforced. GAO’s letter explained that the HHS presently has 82 open recommendations concerning high-risk cybersecurity and IT administration problems.
GAO created recommendations that pertain to a GAO High-Risk category: Ensuring the Cybersecurity of the Nation or Improving IT Acquisitions and Management. Of the 82 recommendations, about 37 are regarded as sensitive, and one was a priority suggestion. GAO mentioned in the report that the HHS must take extra steps to protect the records and IT systems to secure the nation’s cybersecurity.
GAO had proposed for HHS to create an acceptable time frame for when it can digitally allow access to consent forms from appropriately identity-proofed and validated persons and publish those forms on the privacy program website of the department. GAO has cautioned that unless the recommendations are put in place, the HHS cannot sufficiently secure data from inappropriate disclosure.
Whenever HHS’ Office for Civil Rights investigates potential HIPAA violations, it issues financial penalties to organizations that have did not keep records of activity in IT systems that contain ePHI. However, OCR hasn’t completely enforced efficient recording in its own systems, as instructed by the Office of Management and Budget. Without implementing this recommendation, the HHS will not have complete data from records on its systems to identify, investigate, and address cyber threats. HHS additionally did not follow the recommendation that it ought to enhance its incident response guidance, execution, and monitoring.
In the category of Improving IT Acquisitions and Management, GAO has proposed that HHS increase its management and monitoring of IT resources. For example, the HHS had in the past offered a modified time frame for finishing its covered Internet of Things (IoT) inventory, but the inventory remains incomplete. GAO cautioned about the variety of devices that might be regarded as part of IoT that connect to HHS IT systems. Without a complete inventory, HHS lacks visibility into the IoT devices inside its environment, which could limit its capability to mitigate IoT cybersecurity problems.
HHS is not yet done creating a plan that consists of particular actions to improve the public health situational understanding and biosurveillance system. This plan can help make sure that the HHS has the capabilities to make a quick and effective response to an infectious disease outbreak. GAO additionally reminded the HHS CIO of the outstanding suggestions by the HHS Office of Inspector General regarding cybersecurity and IT procurement and administration. These include requirements with the Federal Information Security Modernization Act of 2014, and should be settled.
Clark Minor joined the HHS last February and became CIO in May 2025. In the short time that he has been with HHS, he has already made progress in providing excellent security and performance throughout its systems.