HHS should improve sharing of cyber threat information: GAO

The U.S. Department of Health and Human Services could provide more cybersecurity help to health care organizations by routinely sharing threat information, the U.S. General Accountability Office said Monday in a report.

But HHS said it disagrees with the GAO’s recommendation that this be accomplished by coordinating communication between two HHS entities, although it does agree with six other recommendations the GAO made.

The two HHS entities are the Health Sector Cybersecurity Coordination Center, which was established to improve cybersecurity information sharing in the sector, and the Healthcare Threat Operations Center, a federal interagency program co-led by HHS that focuses on, among other things, providing descriptive and actionable cyber data.

Because of a lack of coordination between these two entities, the cybersecurity center does not routinely receive cybersecurity information from the threat operations center that can be passed on, the report says.

“Until HHS formalizes coordination for the two entities, they will continue to miss an opportunity to strengthen information sharing with sector partners,” the report says.

The report says HHS contends there is already close coordination between the centers; it does not believe any duplication exists in the information sharing by the two entities; and because of the high level of sensitivity that surrounds the data involved, the threat operations center does not share information without the expressed permission and authorization of the originating agency.

The GAO said in a report last week that the Department of Defense may be underestimating the risks associated with some of its business information technology systems.