HHS is struggling to keep up with ransomware, cybersecurity needs

HHS may not be doing all it should to keep the healthcare industry safe from the growing number of cybersecurity attacks, particularly ransomware, leaving healthcare providers vulnerable to a wide range of potentially devastating incidents. 

According to a new report by the Government Accountability Office (GAO), HHS isn’t fulfilling its responsibilities as the primary entity for cybersecurity oversight in the healthcare sector, and hasn’t done enough to implement recommendations to close gaps in the nation’s security infrastructure. 

The agency’s shortcomings are especially worrisome when it comes to ransomware, which is becoming a near-constant threat to hospitals and health systems. UK-based technology firm Sophos found that in 2024, two-thirds of global healthcare organizations faced a ransomware attack, up from 60% in the previous year. Attacks are also requiring longer recovery times, which can directly impact patient safety, care access, and the financial sustainability of affected sites. 

“HHS has several initiatives intended to mitigate ransomware risks for healthcare and public health,” the November 2024 GAO bulletin acknowledges. “Nevertheless, our prior work has found that the department had not adequately monitored the sector’s implementation of ransomware mitigation practices.”  

GAO cited the example of a January 2024 analysis of hospital cybersecurity practices, which found that participating hospitals had self-assessed that they had adopted just over 70% of the NIST Cybersecurity Framework’s functional areas. 

But at the time of GAO’s report, HHS was not yet tracking adoption of NIST’s ransomware-specific practices, and did not provide evidence of any efforts to do so. 

GAO cautions that “without full awareness of the sector’s adoption of cybersecurity practices, HHS risks not directing resources where needed.” 

HHS is also falling short in other areas, including evaluating the effectiveness of the support it provides to healthcare organizations, assessing vulnerabilities in medical devices and other Internet of Things (IoT) access points, and resolving conflicting parameters to streamline activities across agencies and offices. 

To adequately safeguard healthcare entities, HHS should consider the following actions: 

• Work in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and other stakeholders to determine the sector’s adoption of leading cybersecurity practices that help reduce ransomware risk 

• Develop evaluation procedures to measure the effectiveness of its support in helping to reduce ransomware risk 

• Include IoT and operational technology (OT) devices in risk assessments of the industry’s cybersecurity environment 

• Direct CMS to solicit input from relevant federal agencies on revisions to security policies to ensure consistency and collaboration across state and federal agencies 

“Until HHS implements our prior recommendations related to improving cybersecurity,” the report concludes, “the department risks not being able to effectively carry out its lead agency responsibilities, resulting in potential adverse impact on healthcare providers and patient care.” 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.