Governance & Threat Administration
OIG: Gaps in Requirements, Third-Get together Oversight Put Companies, Well being Sector at Threat
Auditors say the U.S. Division of Well being and Human Providers ought to buttress its capability to answer cyberthreats by standardizing governance and controls throughout its many divisions – and likewise do a greater job of overseeing its many contractors and the danger they introduce.
See Additionally: On-Demand | NYDFS MFA Compliance: Actual-World Options for Monetary Establishments
A fractured strategy to cybersecurity with various controls throughout division and packages “complicate HHS’s preparedness efforts to stop or reply to cybersecurity dangers,” wrote the HHS Workplace of the Inspector Basic in one in every of two new reviews revealed this week.
Auditors famous enhancements however mentioned that efforts to consolidate cybersecurity features “is usually nonetheless depending on every division and program.”
As well as, third-party dangers, posed by legions of contractors and different third-party distributors, complicate issues additional. “Cybersecurity options have to be carried out not simply inside the division but additionally by the 1000’s of HHS contractors, grantees and different exterior entities,” auditors wrote.
Auditors additionally included cybersecurity threat administration as a high precedence in a semiannual report this week to Congress. A profitable cyberattack might jeopardize departmental operations and likewise doubtlessly compromise the well being and welfare of the people HHS serves.
Improved departmental cybersecurity is a longstanding concern. “HHS faces persistent cybersecurity threats that exacerbate challenges associated to how the Division makes use of information and expertise important to carrying out its mission,” auditors underscored in a November 2025 report (see: Inspector Basic Flags Safety Hole in NIH Genomics Venture).
Auditors say the present state of cybersecurity at HHS will not be fully the division’s fault. “Challenges stay that the division has restricted authorities or assets to deal with, together with the trade’s reliance on legacy expertise and workforce challenges.”
Neither do out-of-date laws round cybersecurity and information privateness issues assist issues.
HHS’s capability to implement “the decades-old HIPAA Privateness Rule and HIPAA Safety Rule – might not be adequate to deal with modern privateness considerations of defending well being data or elevated dangers to the safety of digital protected well being data,” auditors wrote.
“Working inside the statutory authorities established by HIPAA in 1996, HHS should adapt as privateness and safety wants evolve.”
The division’s Workplace of Civil Rights within the remaining days of the Biden administration issued a proposed overhaul to the 20-year-old HIPAA safety rule, and equally within the remaining days of the primary Trump administration issued proposed modifications to the practically 30-year-old HIPAA Privateness Rule.
Each proposals stay on HHS’ present regulatory agenda however thus far OCR has not publicly disclosed the way it plans to proceed with finalizing both rule (see: Well being Knowledge Privateness, Cyber Regs: What to Watch in 2026).
An HHS spokesperson mentioned the division is already addressing lots of the points spotlighted within the OIG reviews.
“HHS is streamlining its IT and cybersecurity programs to higher serve the Division and the American folks, modernizing outdated, Biden-era programs, to enhance safety, effectivity and accountability throughout HHS,” the spokesperson mentioned.
