The U.S. Government Accountability Office has written to Clark Minor, Chief Information Officer (CIO) of the U.S. Department of Health and Human Services, advising him about the current open cybersecurity and IT management recommendations that require his attention.

GAO is a non-partisan agency that works for Congress and provides support to ensure it meets its constitutional responsibilities and helps improve the performance and ensure the accountability of the federal government. GAO makes recommendations for improving the government’s performance in IT and related IT management functions, including recommendations for the HHS, yet many of those recommendations have yet to be implemented. In the letter, GAO explained that the HHS currently has 82 open recommendations involving high-risk cybersecurity and IT management issues.

GAO made the recommendations over several years, each relating to a GAO High-Risk area: Ensuring the Cybersecurity of the Nation or Improving IT Acquisitions and Management. Out of the 82 recommendations, at least 37 are considered sensitive, and one has been designated as a priority recommendation. GAO explained in the report that in order to secure the cybersecurity of the nation, the HHS needs to take additional steps to secure the records and information systems it uses to carry out its mission.

GAO had recommended that HHS establish a reasonable time frame for when it will be able to digitally accept access and consent forms from properly identity-proofed and authenticated individuals and post those forms on the department’s privacy program website. GAO has warned that until the recommendation is implemented, the HHS will not be able to adequately protect records from improper disclosure.

HHS’ Office for Civil Rights investigations into potential HIPAA violations have resulted in financial penalties for organizations that have failed to maintain logs of activity in information systems containing ePHI, yet it hasn’t fully implemented effective logging of its own systems, as directed by the Office of Management and Budget. “Until HHS implements this recommendation, there is increased risk that the department will not have complete information from logs on its systems to detect, investigate, and remediate cyber threats,” warned GAO. HHS has also not yet implemented the recommendation that it should improve its incident response guidance, implementation, and oversight.

In the Improving IT Acquisitions and Management category, GAO has recommended that HHS improve its management and tracking of IT resources. For instance, the HHS had previously provided a revised time frame for completing its covered Internet of Things (IoT) inventory, but has still not completed the inventory. GAO warned that there is an enormous array of disparate devices that may be considered part of IoT, and those devices connect to HHS information systems. Until HHS has a complete inventory, it lacks visibility into the IoT devices within its environment, which will hamper its ability to mitigate IoT cybersecurity risks.

HHS had made little progress developing a work plan that includes specific actions to show progress in developing a public health situational awareness and biosurveillance network. Doing so will help to ensure that the HHS has comprehensive capabilities to allow a rapid and efficient response to an infectious disease outbreak. GAO also stressed to the HHS CIO that there are also outstanding recommendations from the HHS Office of Inspector General in the areas of cybersecurity and IT acquisitions and management, including requirements under the Federal Information Security Modernization Act of 2014, which must also be resolved.

Minor only joined the HHS in February and has served as CIO since May 2025. The HHS said in that short time, Minor has made steady progress toward ensuring the highest level of security and performance across its systems.

The post GAO: HHS Yet to Implement 82 Cybersecurity and IT Management Recommendations appeared first on The HIPAA Journal.