Audit slams HHS’ cybersecurity oversight

​The U.S. Department of Health and Human Services' oversight of privacy and cybersecurity regulations in the healthcare sector is deeply flawed, even as the agency is promoting the online digitization and storage of Americans' health records, according to congressional investigators.

The U.S. Department of Health and Human Services’ oversight of privacy and cybersecurity in the healthcare sector is deeply flawed, even as the agency is promoting the online digitization and storage of Americans’ health records, according to congressional investigators.

HHS regulates the security and privacy of healthcare records — generally considered highly valuable and private forms of personal data. The department also has an Office of Civil Rights charged with auditing healthcare insurers’ and providers’ compliance with those rules, as well investigating security and privacy complaints. Nearly 18,000 of the latter were received in 2014.

But in some cases it investigated, OCR “provided technical assistance that was not pertinent to identified problems, and in other cases it did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed,” reported the Government Accountability Office this week.

Of the 18,000 complaints it received in 2014, OCR closed 89 percent of them without investigation, GAO found. “Of the remaining 11 percent, four percent had no violation found after investigation and seven percent resulted in corrective action.”


Moreover, GAO auditors concluded, OCR had no metrics for assessing “the effectiveness of its audit program” which was not yet fully operational.

HHS investigations have revealed that healthcare providers and insurers “have struggled to select appropriate security and privacy controls,” auditors concluded, especially with regard to mandatory risk assessments. But the department’s cybersecurity guidance to regulated companies did not align with the NIST Cybersecurity Framework — considered the gold standard for critical infrastructure cybersecurity.

HHS officials, in comments on the report included in an appendix, agreed that their guidance should “more fully address the implementation of controls described in the NIST Cybersecurity Framework.” But they pointed out the “extreme diversity” of the healthcare organizations covered by their rules — from a single doctor’s practice, through small local clinics, to multi-national hospital networks and insurance companies.

Any new guidance, HHS said, must be “flexible and scalable …[and] technology neutral.” OCR would work on revising guidance “to the extent feasible, given … resource constraints and other priorities.”

And the department’s supporters agree that OCR isn’t really resourced for such a huge role.


“Given the rising incidence of cyberattacks on health organizations across the country, we need to make sure that HHS has the resources and support it needs to implement security tools that will protect personal information, whether it be held by patients, families, providers, or insurers,” Sen. Patty Murray, D-Wash, told FedScoop in an email. Murray is ranking member of the Senate Health, Education, Labor, and Pensions Committee.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts