The US Government Accountability Office (GAO) has issued recommendations to the Department of Health and Human Services (HHS), among other federal agencies, as part of its assessment of their efforts to oversee the adoption of leading cybersecurity practices across critical infrastructure sectors, with a specific focus on ransomware practices within the healthcare sector. The report highlighted the impact of ransomware attacks on the nation’s critical infrastructure, emphasizing the difficulty in safeguarding national security. The assessment analyzed the increasing frequency of ransomware attacks, which have prompted an urgent need for improved cybersecurity measures. The GAO’s recommendations aim to strengthen federal initiatives in combating these pervasive cyber threats and ensuring the resilience of key services, particularly in the healthcare domain where the stakes are high and the potential consequences of attacks on critical systems could be particularly severe. The healthcare sector, being a key component of the nation’s critical infrastructure, requires targeted and effective cybersecurity strategies to safeguard patient data, ensure the continuity of care, and mitigate the broader implications of ransomware attacks.
The number of ransomware attacks has greatly increase, prompting the Government Accountability Office (GAO) to scrutinize federal efforts to address this cyber threat. Across critical infrastructure sectors, including manufacturing, energy, healthcare, and transportation, the impact of ransomware has been profound, with financial losses rising. In 2021, the Department of the Treasury reported a staggering $886 million in ransomware-related incidents, marking a 68 percent increase from the previous year. This increase in financial implications emphasizes the urgent need for a comprehensive examination of existing cybersecurity practices and the development of robust strategies to mitigate the advancing threats.
The consequences of ransomware involve more than monetary losses, materializing in disruptions such as the incapacitation of hospital IT systems, preventing emergency care. The FBI reported that 870 critical infrastructure organizations fell victim to ransomware in 2022, affecting 14 of the 16 critical infrastructure sectors. Almost half of these incidents occurred in critical manufacturing, energy, healthcare and public health, and transportation systems, highlighting the broad reach of ransomware across key sectors. The healthcare sector experienced a large impact, with disruptions affecting the delivery of key services and patient care. The actual impact remains underestimated due to the voluntary nature of reporting, though the Department of Homeland Security is set to introduce new reporting rules by March 2024, offering a more comprehensive view of ransomware’s repercussions. This initiative reflects a commitment to improving the understanding of the true extent of the problem, allowing for more informed and targeted strategies to address evolving threats and protect critical infrastructure.
The adoption of leading practices to combat ransomware within the selected sectors remains largely unknown, as the lead federal agencies responsible for risk management have yet to determine the extent of implementing recommended practices from the National Institute of Standards and Technology. Assessing this adoption is necessary for strengthening federal agencies’ efficacy in national efforts against ransomware. While most lead federal agencies have evaluated or plan to evaluate cybersecurity threats, including ransomware, for their respective sectors, there is also a gap in fully assessing the risks of their support efforts. The GAO recommends that agencies comprehensively evaluate the effectiveness of their support, aligning with the National Infrastructure Protection Plan. This assessment could address sector concerns regarding communication, coordination, and the timely sharing of threat and incident information, ensuring a more cohesive and proactive approach in combating ransomware. The GAO’s 11 recommendations emphasize the need for heightened oversight and collaborative action to mitigate evolving risks presented by ransomware across critical infrastructure sectors.