Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ), Ranking Member Greg Walden (R-OR), Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), and Oversight and Investigations Subcommittee Ranking Member Brett Guthrie (R-KY) sent a letter to Comptroller General of the United States Gene Dodaro today to request an evaluation by the Government Accountability Office (GAO) of cybersecurity incident response capabilities of the Department of Health and Human Services (HHS).
The bipartisan E&C leaders emphasized the need for HHS to be able to manage cybersecurity threats and protect sensitive information, especially during the COVID-19 pandemic, as cybersecurity incidents can hamper the health agency’s ability to provide health services and respond to COVID-19.
“As such, protecting HHS computing operations during the pandemic response is paramount to the nation’s security, economic well-being, and public trust. The Chief Information Security Officer at HHS recently acknowledged that the ongoing COVID-19 public health crisis has placed a new target on HHS, and malicious actors have boosted their efforts to infiltrate the agency and access sensitive data. In addition, it was reported in March 2020 that HHS suffered a cyber-attack on its computer system. According to people familiar with the incident, it was part of a campaign of disruption and disinformation that was aimed at undermining the response to the coronavirus pandemic and may have been the work of a foreign actor," wrote Pallone, Walden, DeGette, and Guthrie.
Today’s request for a GAO report builds upon years of E&C’s bipartisan oversight work on the cybersecurity of HHS and its agencies, which include the Food and Drug Administration (FDA), Centers for Disease Control and Prevention (CDC), National Institutes of Health (NIH), and Centers for Medicare & Medicaid Services (CMS). In 2013, the committee asked GAO to examine the cybersecurity protections in place at HHS and its component agencies to determine its effectiveness in protecting information. GAO’s audits of those agencies were examined in an Oversight and Investigations Subcommittee hearing in 2018.
“Given the types of information created, stored, and shared on the information systems owned and operated by HHS, it is important that the agency implement effective incident response handling processes and procedures to address persistent cyber-based threats. Based on the agency’s expressed concern and recent past incidents, we would request that the GAO evaluate HHS’s incident response capabilities," wrote Pallone, Walden, DeGette, and Guthrie.
