Excerpt: “While the CTPR provided a high-level overview of the cybersecurity responsibilities of each HHS office and operating division, the report omitted or lacked sufficient detail on many outstanding issues. For example, HHS is both a regulator of the health care sector and the Sector Specific Agency (SSA) responsible for leading and providing guidance under the national critical infrastructure protection model. HHS must make clear how it plans to carry out this dual role and clearly communicate that plan to stakeholders, who must balance the need for support from HHS during cybersecurity incidents with the perceived risk that seeking support could lead to regulatory enforcement actions. The CTPR did not mention this dual role or provide any clarification as to when HHS will act as a regulator or an SSA and how it will transition from one role to the other.”
To read a copy of the letter, click here.