House Energy and Commerce leaders seek GAO review of HHS’s cybersecurity

Congressional leaders on the House Energy and Commerce Committee are seeking a review by the Government Accountability Office (GAO) of cybersecurity incident response capabilities of the Department of Health and Human Services (HHS).

The E&C leaders said the HHS needs to be able to manage cybersecurity threats and protect sensitive information, especially during the COVID-19 pandemic. Cybersecurity incidents can hamper the health agency’s ability to provide health services and respond to COVID-19.

“As such, protecting HHS computing operations during the pandemic response is paramount to the nation’s security, economic well-being, and public trust. The Chief Information Security Officer at HHS recently acknowledged that the ongoing COVID-19 public health crisis has placed a new target on HHS, and malicious actors have boosted their efforts to infiltrate the agency and access sensitive data. In addition, it was reported in March 2020 that HHS suffered a cyber-attack on its computer system. According to people familiar with the incident, it was part of a campaign of disruption and disinformation that was aimed at undermining the response to the coronavirus pandemic and may have been the work of a foreign actor,” wrote the E&C leaders in a letter to Comptroller General of the United States Gene Dodaro.

The letter was signed by Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ), Ranking Member Greg Walden (R-OR), Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), and Oversight and Investigations Subcommittee Ranking Member Brett Guthrie (R-KY).

This request builds upon E&C’s oversight work on the cybersecurity of HHS and its agencies. In 2013, the committee asked GAO to examine the cybersecurity protections at HHS and its component agencies to determine its effectiveness in protecting information hearing in 2018.

“Given the types of information created, stored, and shared on the information systems owned and operated by HHS, it is important that the agency implement effective incident response handling processes and procedures to address persistent cyber-based threats. Based on the agency’s expressed concern and recent past incidents, we would request that the GAO evaluate HHS’s incident response capabilities,” the lawmakers wrote.