The Government Accountability Office (GAO) released a report on November 13 highlighting the Department of Health and Human Services’ (HHS) ongoing challenges in carrying out its cybersecurity responsibilities as the lead federal agency for the healthcare and public health critical infrastructure sectors. The report noted the increased incidents of cyberattacks across the healthcare sector, including the February 2024 Change Healthcare ransomware attack that had widespread impacts on healthcare providers and patient care.

The GAO went on to highlight several recommendations that HHS has yet to fully implement to improve cybersecurity risk management. The recommendations include tracking the healthcare sector’s adoption of cybersecurity practices that reduce ransomware-specific attacks; including medical devices and other operational technologies as part of HHS’s risk assessments; and ensuring that the Centers for Medicare and Medicaid Services (CMS) maximizes collaboration with other federal agencies to provide consistent cybersecurity requirements across state agencies.

Although much of HHS’s cybersecurity focus has been on hospitals, the Change Healthcare ransomware attack demonstrated the vulnerabilities that exist across the entire healthcare sector, including post-acute and long-term care providers. LeadingAge actively engaged with HHS to help members impacted by the Change Healthcare ransomware attack and is continuing to work with members, partners, and policymakers to strengthen and share cybersecurity best practices.