WASHINGTON, DC - The Subcommittee on Health, chaired by Rep. Joseph Pitts (R-PA), today held a hearing examining cybersecurity efforts and responsibilities at the Department of Health and Human Services (HHS). The hearing examined H.R. 5068, the HHS Data Protection Act, authored by committee members Rep. Billy Long (R-MO) and Rep. Doris Matsui (R-CA). The bipartisan legislation will establish the Office of the Chief Information Security Officer (CISO) within HHS, elevating the HHS CISO from where the position currently sits underneath HHS’ Chief Information Officer (CIO).
In April 2015, the committee released the results of its investigation of information security at the FDA, which identified serious weaknesses in the information security programs at HHS. Examination of these incidents revealed that many shared a root cause - the subordination of information security to information operations, as a result of the organizational structure in place at HHS with regards to its CIO and CISO.
“As a result of an investigation conducted by the Energy and Commerce Subcommittee on Oversight and Investigations to examine information security at the U.S. Food and Drug Administration, it was determined that serious weaknesses existed in the overall information security programs at the U.S. Department of Health and Human Services (HHS)," stated Chairman Pitts. “It seems a major part of the problem is the organizational structure in place at HHS that puts information security second to information operations."
Mac McMillan, Chairman and CEO of CynergisTek, Inc., testified in support of H.R. 5068, saying, “I sincerely support the elevation of the Chief Information Security Officer role to a position equivalent to other senior leaders within the Department of Health and Human Services and in particular the Chief Information Officer. When these two positions have equal authority, are both (sic) focused on a common mission and working collaboratively the CIO and CIOS form a complementary and effective team to ensure the protection of information assets for an organization. …One of the most often questions I get asked by healthcare leadership and Boards is ‘where should the CISO report?’ I welcome the opportunity to engage the members on this matter."
Rep. John Shimkus (R-IL) asked witnesses if they thought elevating the HHS CISO would be warranted and yield success. “This is really about organizational structure. As a military guy, somebody’s got to be in charge. I mean, that’s really the basic debate." Mr. Joshua Corman, Director of Cyber Statecraft Initiative at the Atlantic Council, acknowledged that under the proposal put forth by Reps. Long and Matsui, “you can have success."
Full committee Chairman Fred Upton (R-MI) concluded, “Our oversight identified a problem. And we have a thoughtful solution in the HHS Data Protection Act to address it."
Additional information on today’s hearing, including a background memo, witness testimony, and an archived video can be found on our website here.
