- Bipartisan legislation was recently introduced by members of Congress to improve healthcare cybersecurity, specifically the measures within the Department of Health and Human Services (HHS).
House Energy and Commerce Committee members Rep. Billy Long and Rep. Doris Matsui call the HHS Data Protection Act as “a critical step toward safeguarding the delicate information countless Americans have entrusted in HHS’s hands.”
“We’ve developed a thoughtful solution to improve cybersecurity at HHS, based on committee findings. We must do all we can to ensure greater security of the government’s health networks and Americans’ sensitive data,” the duo explained in a statement.
One of the key aspects of the legislation is that the Office of the Chief Information Security Officer (CISO) will be created at HHS.
“The Chief Information Security Officer, in consultation with the Chief Information Officer and the General Counsel of the Department of Health and Human Services, shall have primary responsibility for the information security (including cybersecurity) programs of the Department,” the bill states.
A key factor behind the legislation is the results of a report published in August 2015, where the House Energy and Commerce Committee documented information security deficiencies at HHS. The Committee had originally launched an investigation after the 2013 breach at the Food and Drug Administration (FDA).
After examining the October 15, 2013 breach of FDA’s network, and other breaches of HHS information systems, it is clear that the relationship between the CIO and the CISO in HHS’s headquarters and its operating divisions is an important factor contributing to the prioritization of operational concerns over security concerns. These issues could be resolved by moving the CISO position to the Office of the General or Chief Counsel, as applicable.
The Committee report added that separating the management of information technology from the management of information security concerns would help break down the information technology “silo.” This would also ensure that the right information security expertise was spread across HHS.
“This reorganization is an important first step toward creating a system that incentivizes better security,” the report’s authors explained.
While HHS and all of its operating divisions affected by data security incidents each addressed the found vulnerabilities, the Committee report stated they “did not implement any major policy or structural reforms to address the systemic tensions within HHS’s information security program.”
“These systemic tensions stem primarily from the inherent subordination of security to operations that the current CIO-CISO organizational structure creates,” the report says. “To better account for and balance these concerns, that organizational structure must be reformed.”
The CISO should primarily be responsible for HHS’ information security, as well as all of its operating divisions’ information security, the Committee wrote. Furthermore, any information security responsibilities that the current CIO handles should be transferred to the CISO.
Overall, the report explains that security is too often compromised for the sake of operations. A senior security official should not be “subordinated to the senior official for information operations.”
“This structure is not designed to fairly balance the concerns of information security and information operations, which are often in conflict, and the organizational structure promotes operations over security,” according to the Committee. “As a result, information security at HHS and its operating divisions is substantially weakened.”
There must be a system “that provides a better balance of operations and security, and appropriately addresses the legal concerns arising from information security matters.”