Lawmakers consider legislation that would give HHS a new cybersecurity leader

Lawmakers believe HHS needs to take additional steps to improve its information security protections. The House Committee on Energy and Commerce, Subcommittee on Health, held a hearing on May 25, 2016, to examine HHS’ current cybersecurity responsibilities and to consider proposals to strengthen the agency’s data security. Lawmakers heard testimony from industry experts and considered the impact of measures like the HHS Data Protection Act (H.R. 5068)—proposed legislation designed to make the HHS Chief Information Security Officer (CISO) a presidential appointee and a peer, rather than a subordinate, of the HHS Chief Information Officer (CIO). The hearing was premised on an understanding that lapses in agency data protections are due to organizational structures that favor informational operations over informational security.

Organizational change

The organizational change in the office of the HHS CIO and CISO would represent an important transition that mirrors steps many health care organizations are currently undergoing in their own organizational structures, according to the testimony of Samantha Burch, Senior Director of Congressional Affairs at Healthcare Information and Management Systems Society (HIMSS). Because hacking the health care sector has become easier and more profitable than ever before, Burch noted that a comprehensive, planned, and coordinated approach is necessary for health organizations and governmental agencies to avoid breaches. She also noted that elevating the CISO to be a peer of the CIO reflects an acknowledgement that “information security has evolved into a risk-management activity.”


Joshua Corman, Director of the Cyber Statecraft Initiative at the Atlantic Council, testified that part of the difficulty with developing cybersecurity protections is that cybersecurity is a relatively new field. He acknowledged that significant breaches have occurred, even when entities are engaged in “best practices.” Corman noted that the threat only increases as “we connect everything in the Internet of Things.” He explained that as society places greater reliance on information technology, cybersecurity efforts must “rise in kind.”


Mac McMillan, Chief Executive Officer at CynergisTek, Inc., testified that the organizational change is important because what most health care organizations lack, in terms of cyber security, is leadership—a void that would be filled by the elevated position of the CISO under the HHS Data Protection Act. As cybersecurity threats increase, McMillan explained that now, more than ever, the health care industry needs a leader to develop credible cybersecurity frameworks, standards, resources, and investments.


Marc Probst, the CIO of Intermountain Healthcare, discussed potential reporting structures for a CISO—a topic which received attention from all of the experts. Probst pointed to the example of Intermountain Healthcare, where the CISO reports directly to the CIO (Probst). He noted that, at Intermountain Healthcare, the reporting structure is not a focus point and, instead, the organization prioritizes appropriate checks and balances for security plan development and execution. He also gave examples of other organizations where the CISO reported to different entities. Probst explained that where the CISO should report is dependent on the way the CISO role is defined by an organization. With respect to the HHS Data Protection Act, Probst encouraged lawmakers to consider the potential negative consequences of making the CISO a presidential appointment, due to the possibility that it could hamper the agency’s ability to affect change.