GAO Report Identifies Urgent Cybersecurity Challenges (Part 1 of 2)

GAO Report Identifies Urgent Cybersecurity Challenges (Part 1 of 2)

Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.

By Katherine Downing, MA, RHIA, CHPS, CPHI, PMP


In July 2018, the Government Accountability Office, GAO, issued the results of their testimony before the Subcommittees on Government Operations and Information Technology, Committee on Oversight and Government Reform, House of Representatives.

Would you be surprised to learn that the Government Accountability Office the (GAO) first designated information security as a high-risk area in 1997? Fast forward 20-plus years later and we are still seeing significant threats to information across the country’s critical infrastructures, from energy and transportation to communications, financial services, and healthcare. In addition to information security, the GAO first identified the importance of protecting cyber infrastructure in 2003 and the importance of protecting privacy of personal information in 2015.

In July 2018, the GAO issued the results of their recent testimony before the Subcommittees on Government Operations and Information Technology, Committee on Oversight and Government Reform in the US House of Representatives. The report, which is publicly available on the GAO website at, identifies four major challenges:

  1. Establishing a comprehensive cybersecurity strategy and performing effective oversight
  2. Securing federal systems and information
  3. Protecting cyber critical infrastructure
  4. Protecting privacy and sensitive data

These challenges were identified, in part, based on the 2017 federal information security incidents that are shown in the chart on page six of the report. shown in this graphic. Pages six and seven of the report describe detailed examples of these incidents, such as a ransomware attack that targeted the mayor of Atlanta, GA.

Although this report was focused on federal agencies and critical infrastructures, there are lessons that can be directly applied in healthcare as we continue to advance information governance practices to strengthen privacy and security practices in our organizations. The key elements needed to succeed in the fight against cyberattacks, thefts, and malware all help clear the path to reducing risk across the organization per the GAO report. According to the reporting, the following five criteria “form a road map for efforts to improve and ultimately address high-risk issues”:

  • Leadership commitment
  • Capacity (people and resources)
  • Action Plan in place
  • Monitoring program
  • Demonstrated progress

These five areas cross-map with AHIMA’s Information Governance Adoption Model for Healthcare (IGAM)™ maturity markers in several of the competency, areas including:

  • Privacy and Security: The Privacy and security competency encompasses the processes, policies, and technologies necessary to protect data and information across the organization from breach, corruption, and loss. Protection also ensures information is kept private, confidential, and secret as required based on its classification.
  • Strategic Alignment: Strategic alignment of information governance with the organization’s strategy demonstrates valuation of information as a strategic asset and communicates that information governance is an organizational imperative. Strategic alignment supports an information-driven decision-making culture and ensures that its workforce at all levels has access to the information they need to make good decisions in real time, as well as supports the expectation that information is used appropriately and strategically. Strategic alignment along with information governance structure ensures leadership is committed to establishing long-term priorities and goals as well as proper staffing, oversight, and responsibility.
  • IT Governance: IT governance includes use of best practices in technology solutions selection and deployment, ensuring and measuring the value/benefit created through IT investments, management of resources, mitigation of risks, measuring the performance of the IT function, and ensuring stakeholder input is incorporated into IT strategy.

The GAO report points out that the five criteria from the road map are needed to improve and address high-risk issues, but the actions do not stand alone. They must be taken in concert with each other to address the cyber-related threats that exist.

The report further points out that security established for federal systems is “vital to the nation’s security, prosperity, and well-being. Nevertheless, the security over these systems and data is inconsistent and urgent actions are needed to address ongoing cybersecurity and privacy challenges.” Specific actions the report identifies for the federal government to take include:

  • Implement a more comprehensive cybersecurity strategy and improve its oversight, including maintaining a qualified cybersecurity workforce
  • Address security weaknesses in federal system and information and enhance cyber incident response efforts
  • Bolster the protection of cyber critical infrastructure
  • Prioritize efforts to protect individual’s privacy and personally identifiable information

For more details and information on this important testimony, read the full GAO report:


Katherine Downing ( is vice president, information governance at AHIMA.

Leave a comment

Send a Comment

Your email address will not be published. Required fields are marked *