HHS’ Sluggish Implementation of GAO Health IT and Cybersecurity Recommendations


The U.S. Department of Health and Human Services (HHS) is quite slow in implementing the recommendations of the Government Accountability Office (GAO). There are 392 recommendations currently not yet addressed. That includes 42 recommendations rated as high priority by GAO.

In the last four years, HHS only addressed 75% of GAO’s recommendations. The poor implementation was stated in GAO’s letter to HHS secretary Alex Azar in March 28, 2019.

GAO mentioned that healthcare is an important part of the nation’s critical infrastructure. Computerized systems and electronic information are necessary for proper functioning. Different threat actors target those systems, so it is important to secure and protect them from unauthorized access.

GAO had the following four high priority recommendations addressing health IT and cybersecurity that are yet to be addressed:

  • Outline steps to make sure HHS can efficiently keep track of the effect of EHR programs and its progress
  • Motivate healthcare entities to adopt essential cybersecurity processes and procedures
  • Protect Medicare beneficiary information accessed by outside entities
  • Make sure that progress leads to the implementation of IT improvements required to create the electronic public health situation awareness system

GAO mentioned its recommendation in March 2018 for the administrator of Centers for Medicare and Medicaid Services (CMS) to create and put into action policies and procedures to ensure entities using claims data must assess the efficiency of Medicare service and equipment providers and make certain they have enforced suitable security controls.

Although CMS agreed to employ a contractor to evaluate the present data security framework and give suggestions on particular controls and implementation demands, GAO says that CMS should also create suitable processes and procedures for putting into action those controls.

There are three more health IT and cybersecurity recommendations of GAO that are high priority and not yet implemented:

The HHS has not yet developed functionality measures that permit it to evaluate whether the Meaningful use plan (currently the Promoting Interoperability Program) is really improving results and patient safety.

GAO proposed in 2018 that the HHS and the Secretary of Agriculture must work together with the Department of Homeland Security and NIST and create methods for finding out the level and kind of cybersecurity framework to be adopted for the healthcare industry ‘s critical infrastructure. Although some work were finished, the HHS is still attempting to identify appropriate methods a year on.

The HHS must advise the Assistant Secretary for Preparedness and Response to do all IT management and oversight procedures when developing the network and must act under the HHS CIO leadership. GAO noted that there’s minimal improvement in the national public health situational awareness network capabilities that will enable officials to see real-time data concerning up and coming health threats.

GAO stated the importance of implementing these and other recommendations promptly. If all recommendations are carried out, there will be significantly improvement in HHS operations.