Some members of Congress want to push the U.S. Department of Health Human and Human Services (HHS) to put its chief information security officer (CISO) on the same organizational level as its chief information officer (CIO).
Rep. Billy Long, R-Mo., and Rep. Doris Matsui, D-Calif., say the HHS CISO needs a high enough rank to be able to go directly to the HHS secretary with cybersecurity concerns.
Long and Matsui have introduced H.R. 5068, the HHS Data Protection Act bill.
The House Energy & Commerce health subcommittee held a hearing on the bill in Washington Wednesday.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets tough health data security rules. In recent years, cyber attacks have reached into the systems that administer benefits for federal employees. This year, cyber attackers have been flooding email users with “phishing” emails, or emails designed to get recipients to install malware on their computers, or give personal information to criminals.
Three witnesses — Samantha Burch of the Healthcare Information and Management Systems Society North America; Joshua Corman of the Cyber Statecraft Initiative; and Mac McMillan, chief executive officer of CynergisTek Inc. — said they were strongly in favor of giving the CISO the same rank as the CIO, or chief of information technology (IT).
Corman said an organization could consider having a data security chief report to a chief financial officer, or a general counsel.
But, “in general, the belief is that a CISO reporting to a CIO is a structural conflict of interest, as there can be tensions between their missions, their performance objectives and their budgets,” Corman said, according to a written version of his remarks posted on the committee website.
“The CIO is (in part) measured on the availability of IT services,” Corman said. “In contrast, the CISO may need to temporarily interrupt said service in order to test for exploitable weaknesses – or to patch and update vulnerable systems to avoid successful exploitation.”
A fourth witness, Marc Probst, the chief information officer at Intermountain Healthcare, said different kinds of organizations may need different kinds of data security management structures.
“It’s not enough to rely on reporting structure changes to initiate meaningful change,” Probst said in his written testimony. “Instead, security must be an organizational priority for true change to be enacted.”
Are you following us on Facebook?