The U.S. Government Accountability Office said HHS "continues to have challenges" as the lead agency for healthcare cybersecurity.
Here are five recommendations from the GAO's Nov. 13 report:
1. HHS should track hospitals' adoption of the National Institute of Standards and Technology Cybersecurity Framework to "identify, detect, protect, respond, and recover."
2. HHS should evaluate the effectiveness of cybersecurity support it provides for the healthcare sector, such as guidance documents, threat briefings, training and job aids.
3. HHS should conduct a sectorwide risk assessment of Internet of Things and operational technology devices.
4. HHS' Administration for Strategic Preparedness and Response should better monitor, clarify responsibilities for and provide updates on collaborative efforts to boost healthcare cybersecurity.
5. CMS should ensure consistent cybersecurity requirements for state agencies — like the number of unsuccessful login attempts prior to a user lockout — and better coordinate with other federal agencies on the state assessments.