Some members of Congress want to push the U.S. Department of Health Human and Human Services (HHS) to put its chief information security officer (CISO) on the same organizational level as its chief information officer (CIO).
Rep. Billy Long, R-Mo., and Rep. Doris Matsui, D-Calif., say the HHS CISO needs a high enough rank to be able to go directly to the HHS secretary with cybersecurity concerns.
Long and Matsui have introduced H.R. 5068, the HHS Data Protection Act bill.
The House Energy & Commerce health subcommittee held a hearing on the bill in Washington Wednesday.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets tough health data security rules. In recent years, cyber attacks have reached into the systems that administer benefits for federal employees. This year, cyber attackers have been flooding email users with “phishing” emails, or emails designed to get recipients to install malware on their computers, or give personal information to criminals.
Three witnesses — Samantha Burch of the Healthcare Information and Management Systems Society North America; Joshua Corman of the Cyber Statecraft Initiative; and Mac McMillan, chief executive officer of CynergisTek Inc. — said they were strongly in favor of giving the CISO the same rank as the CIO, or chief of information technology (IT).
Corman said an organization could consider having a data security chief report to a chief financial officer, or a general counsel.
But, “in general, the belief is that a CISO reporting to a CIO is a structural conflict of interest, as there can be tensions between their missions, their performance objectives and their budgets,” Corman said, according to a written version of his remarks posted on the committee website.