Governance & Threat Administration
OIG: Gaps in Requirements, Third-Occasion Oversight Put Businesses, Well being Sector at Threat
Auditors say the U.S. Division of Well being and Human Providers ought to buttress its potential to reply to cyberthreats by standardizing governance and controls throughout its many divisions – and in addition do a greater job of overseeing its many contractors and the danger they introduce.
See Additionally: On-Demand | NYDFS MFA Compliance: Actual-World Options for Monetary Establishments
A fractured method to cybersecurity with various controls throughout division and packages “complicate HHS’s preparedness efforts to stop or reply to cybersecurity dangers,” wrote the HHS Workplace of the Inspector Basic in certainly one of two new studies printed this week.
Auditors famous enhancements however stated that efforts to consolidate cybersecurity features “is usually nonetheless depending on every division and program.”
As well as, third-party dangers, posed by legions of contractors and different third-party distributors, complicate issues additional. “Cybersecurity options have to be applied not simply inside the division but additionally by the hundreds of HHS contractors, grantees and different exterior entities,” auditors wrote.
Auditors additionally included cybersecurity threat administration as a high precedence in a semiannual report this week to Congress. A profitable cyberattack may jeopardize departmental operations and in addition doubtlessly compromise the well being and welfare of the people HHS serves.
Improved departmental cybersecurity is a longstanding concern. “HHS faces persistent cybersecurity threats that exacerbate challenges associated to how the Division makes use of knowledge and expertise important to engaging in its mission,” auditors underscored in a November 2025 report (see: Inspector Basic Flags Safety Hole in NIH Genomics Venture).
Auditors say the present state of cybersecurity at HHS will not be completely the division’s fault. “Challenges stay that the division has restricted authorities or sources to handle, together with the business’s reliance on legacy expertise and workforce challenges.”
Neither do out-of-date laws round cybersecurity and knowledge privateness issues assist issues.
HHS’s potential to implement “the decades-old HIPAA Privateness Rule and HIPAA Safety Rule – might not be ample to handle up to date privateness considerations of defending well being info or elevated dangers to the safety of digital protected well being info,” auditors wrote.
“Working inside the statutory authorities established by HIPAA in 1996, HHS should adapt as privateness and safety wants evolve.”
The division’s Workplace of Civil Rights within the closing days of the Biden administration issued a proposed overhaul to the 20-year-old HIPAA safety rule, and equally within the closing days of the primary Trump administration issued proposed modifications to the almost 30-year-old HIPAA Privateness Rule.
Each proposals stay on HHS’ present regulatory agenda however to this point OCR has not publicly disclosed the way it plans to proceed with finalizing both rule (see: Well being Knowledge Privateness, Cyber Regs: What to Watch in 2026).
An HHS spokesperson stated the division is already addressing most of the points spotlighted within the OIG studies.
“HHS is streamlining its IT and cybersecurity methods to higher serve the Division and the American folks, modernizing outdated, Biden-era methods, to enhance safety, effectivity and accountability throughout HHS,” the spokesperson stated.
