GAO: EHRs, health insurance marketplaces among federal cybersecurity weaknesses

A new report, along with testimony from a GAO official, points to lingering cybersecuirty vulnerabilities at federal agencies, including HHS.

The Government Accountability Office once again called on the federal government to strengthen its cybersecurity capabilities across several platforms, with particular emphasis on hospital medical records and state-based insurance marketplaces.

The GAO issued several broad cybersecurity recommendations in a report released on Tuesday, calling on federal agencies to strengthen oversight and IT capabilities, improve cyber detection and response, expand training efforts and protect personally identifiable information.

Referencing a prior report released in September, the GAO noted that the Department of Health and Human Services (HHS) has not addressed all of the key cybersecurity controls recommended by the National Institute of Standards and Technology. The GAO reiterated previous security and privacy concerns within the CMS data hub used to exchange information within state-based insurance marketplaces.

RELATED: GAO report calls for more HIPAA, cybersecurity guidance

During a hearing before the House subcommittee on science and technology, Gregory Wilshusen, director of information security issues at the GAO, testified that federal agencies frequently say they have resolved a vulnerability, only to have investigators find those same issues still present. Wilshusen said more than 1,000 of the 2,500 cybersecurity recommendations issued by the watchdog agency have not been implemented across the federal government.

Iain Mulholland, a member of the Cyber Policy Task Force at the Center for Strategic and International Studies and the CIO of security at VMware Inc., added that the black-market value of medical records far exceeds credit card information because the metadata within a medical record can be used for other attacks.

“It’s a little bit of a goldmine,” he said. “You’ve got a lot of information in the same place that can be very valuable.”

Mulholland also emphasized the “unprecedented level of attacks” in both the public and private sector and highlighted the need to evaluate cybersecurity vulnerabilities associated with Internet of Things devices.

RELATED: mHealth roundup: Health apps to cut costs, improve care

In the same hearing, Charles Romine, Ph.D., director of the Information Technology Laboratory at NIST acknowledged the organization’s role in outlining cybersecurity standards. This year, the NIST’s updated Cybersecurity Framework outlined four new metrics for cybersecurity measurement. The FDA has referenced the NIST’s framework as a starting point for evaluating medical device security.