GAO: HHS lets cybersecurity shortcomings linger

Dive Brief:

  • The Government Accountability Office (GAO) is again urging the federal government to beef up its cybersecurity capacity, particularly in the areas of electronic health records (EHRs) and state-based health insurance marketplaces.
  • Its new 25-page report calls on the government to improve detection of and response to cyber incidents, increase training for cyber workers, strengthen cybersecurity of critical infrastructures and increase oversight of personal information.
  • The investigative arm of Congress chided the HHS for not implementing the key cybersecurity controls it recommended in 2016.

Dive Insight:

The HHS needs to do a better job of protecting the security and privacy of EHR information and increase protections of personal data on state-based health insurance marketplaces, according to the new report. The GAO's insistence comes at a time when healthcare has become more of target for cyber attacks than all other industries in the U.S. 

Last summer, a group of hackers known as the Dark Overlords put about 500 patient records stolen from a Georgia-based orthopedic clinic up for sale on the black market. Aaron Miri, CIO and vice president of government relations at Imprivata, told Healthcare Dive last year that a single medical record can sell for more than $200 on the dark net. Also, VMware CIO Iain Mulholland testified at a subcommittee hearing earlier this week that medical records go for far higher prices on the dark web than credit card information because the metadata contained in EHRs can be used to launch other attacks, FierceHealthcare reports.

U.S. health systems could stand to lose an estimated $305 billion from coordinated cyberattacks, a 2015 Accenture report shows.

Cybersecurity threats are also raising credit risk for U.S. insurance companies, including health insurers, and are now a top board-level priority, according to a new survey by Moody’s. “Among survey respondents, essentially all maintain incident response plans for multiple cyber intrusion scenarios, and most insurers test their vulnerability annually,” Alan Murray, senior vice president of Moody’s, said in a statement.

Filed Under: Health IT Policy & Regulation