- Having effective data protection and incident response are crucial parts to strong healthcare cybersecurity, according to a recent hearing held by the House Energy and Commerce Subcommittee.
The group met last week to discuss the future of healthcare cybersecurity, and specifically, what the Department of Health and Human Services (HHS) role should be. The hearing also largely centered around the HHS Data Protection Act (H.R. 5068).
One of the key proposals in the legislation would establish the office of the Chief Information Security Officer (CISO) at HHS, and that the CISO would be a peer to the Chief Information Officer (CIO), rather than reporting to the CIO.
“The Chief Information Security Officer, in consultation with the Chief Information Officer and the General Counsel of the Department of Health and Human Services, shall have primary responsibility for the information security (including cybersecurity) programs of the Department,” the bill states.
Elevating the CISO role to one that is “an organizational peer” to the CIO is not a new concept, according to Health Subcommittee Chairman Joseph Pitts.
He explained in his opening statement at the hearing that a branch of the Department of Defense has already implemented a similar structure, as well as many industry experts, including PricewaterhouseCoopers. Those organizations have said that separating the CISO and CIO can “better allow for internal checks and balances.”
“Right now, the top official responsible for information operations at HHS is the Chief Information Officer, or CIO, and the official responsible for information security, the Chief Information Security Officer, or CISO [CIZ-O] reports to him,” Pitts said. “In other words, the official in charge of building complex information technology systems is also the official in charge of ultimately declaring those systems secure. This is an obvious conflict of interest.”
Subcommittee Chairman Fred Upton added in his statement that the hearing was not meant to “chastise HHS for cybersecurity incidents that have happened in the past,” but instead to improve healthcare cybersecurity in the future.
The current structure for HHS cybersecurity officials was first implemented 13 years ago, according to Upton, and the internet has drastically evolved since that time.
“The cyber world is constantly changing, and the threats that we faced 10 years ago are not the threats that we face today,” Upton maintained. “Instead, we face a daunting array of cybersecurity threats, from sophisticated thefts of personal information held by health care providers, to the hostage-taking of hospital networks and equipment by ransomware.”
The hearing also included witness statements from Healthcare Information and Management Systems Society North America (HIMSS) Senior Director of Congressional Affairs Samantha Burch, Atlantic Council Director of Cyber Statecraft Initiative Joshua Corman, CynergisTek, Inc. CEO Mac McMillan, and Intermountain Healthcare VP and CIO Marc Probst, on behalf of College of Healthcare Information Management Executives.
The bipartisan legislation was introduced by House Energy and Commerce Committee members Rep. Billy Long and Rep. Doris Matsui toward the end of April. The duo called the bill “a critical step toward safeguarding the delicate information countless Americans have entrusted in HHS’s hands.”
“We’ve developed a thoughtful solution to improve cybersecurity at HHS, based on committee findings. We must do all we can to ensure greater security of the government’s health networks and Americans’ sensitive data,” Long and Matsui explained in a statement.