GAO: Ten Critical Actions Needed to Address Cybersecurity Challenges (Part 2 of 2)

GAO: Ten Critical Actions Needed to Address Cybersecurity Challenges (Part 2 of 2)

Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.

By Katherine Downing, MA, RHIA, CHPS, CPHI, PMP


The July 2018 report issued from the Government Accountability Office (GAO), described in the first part of this article series, identified ten critical actions needed to address the major cybersecurity challenges facing federal agencies and the nation’s critical infrastructures.

The challenges and actions are listed in a graphic on p. 13 of the report titled “Figure 4: Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges.” The list includes such actions as:

  • Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace
  • Address cybersecurity workforce management challenges
  • Ensure the security of emerging technologies
  • Improve implementation of government-wide cybersecurity initiatives
  • Enhance the federal response to cyber incidents
  • Improve federal efforts to protect privacy and sensitive data
  • Appropriately limit the collection and use of personal information and ensure that it is obtained with appropriate knowledge or consent

Many of the actions are parallel to critical actions needed within healthcare organizations that fall under the purview of information governance (IG). AHIMA’s Information Governance Adoption Model (IGAM)™ includes information and maturity assessment for many of the actions included in the GAO report. The IGAM™ is available via AHIMA’s Mastering the Information Governance Adoption Model: IGAM eBook or at The following list identifies actions and related IGAM competencies that parallel the list of critical actions identified in the GAO report:

  1. Develop and execute a comprehensive organizational strategy for privacy threats, cyberthreats, and information threats via an enterprise-wide information governance strategy (IGAM competency: IG Structure).
  2. Mitigate malware threats with a robust IT Governance program within the IG program (IGAM competency: IT Governance).
  3. Address insider threat through IG Awareness and Adherence programs (IGAM competency: IG Awareness and Adherence).
  4. Ensure the security of emerging technologies in healthcare such as wearables and telemedicine (a Telemedicine Toolkit is available from AHIMA as a further resource on this topic).
  5. Improve implementation of organization-wide initiatives focused on managing, securing, storing, protecting, and destruction of information through enterprise information management efforts as a part of the IG program (IGAM competency: Enterprise Information Management).
  6. Address weaknesses in the organization’s programs through use of advanced security tools and technology as a part of the organization-wide privacy and security program (IGAM competency: Privacy and Security).
  7. Enhance cyber threat response through IG awareness and adherence education, including topics such as phishing campaigns and other security training beyond HIPAA basics (IGAM competency: IG Awareness and Adherence).
  8. Strengthen protection of the organization’s information assets.
  9. Improve the organization’s efforts to both provide access and better secure electronic protected health information, paper records, and legacy systems.
  10. Limit the collection and use of protected health information and ensure it is obtained with minimum necessary intent.

Although the GAO report focuses on federal agencies and critical infrastructures, there are lessons that can be directly applied in healthcare as we continue to advance information governance practices to strengthen the privacy and security practices in our organizations.

For more details and information on this important testimony, read the full GAO report:


Katherine Downing ( is vice president, information governance at AHIMA.

Leave a comment

Send a Comment

Your email address will not be published. Required fields are marked *