Congressional attempts to empower HHS CISO could serve as model for private hospitals

Proposed legislation would elevate Health and Human Services' CISO from its current position under the CIO. Whether it passes or not, the notion is raising questions about typical reporting structures in the healthcare C-suite.
By Jessica Davis
12:05 PM

To hear the chief information security officer of a major mid-Atlantic provider network tell it: Health and Human Services CISO is a toothless post. The reason? HHS CISO reports to the CIO with a dotted line to compliance.

But some U.S. Congress members are aiming to change that. In late April, House Energy and Commerce Committee Members Rep. Doris Matsui, D-California, and Rep. Billy Long, R-Missouri, introduced the HHS Data Protection Act to establish the Office of the CISO with the Department of Health and Human Services.

The proposed legislation would essentially elevate the HHS CISO from its current position under the HHS' chief information officer.

"The integration of information technology into nearly every aspect of our daily lives means our security landscape has changed dramatically," Matsui said. "As the network of cybercriminals becomes increasingly sophisticated, our operational structures and strategies must evolve accordingly."

To that end, the bill extends the Obama administration's Cybersecurity National Action Plan, which emphasizes the need for a CISO to improve cybersecurity. In response to the plan, the administration created a Federal Chief Information Security Officer position to exclusively focus on Federal cybersecurity operations.

The legislation is also in part a response to the committee's August 2015 report on the FDA's information security that found "pervasive and persistent deficiencies across HHS and its operating divisions' information security programs" after its internal network was breached.

>> CASE STUDIES: Where do CISOs fit in the healthcare C-suite?
>> STRATEGIES: CIOs and CISOs share insights on strategic collaboration

Whether or not it actually works to empower the HHS CISO and better safeguard the organization and its data will likely depend more on what responsibilities that position entails than anything else, said David Finn, Symantec Healthcare IT Officer.

“They need to have the right person,” Finn added. “The CISO should not be writing passwords or managing firewall settings.”

Christiana’s Santiago agreed that HHS also must fill that post with someone with the appropriate skill set.

“To be successful, it really has to be the right leader with visibility, empowerment and tools to drive change,” Santiago explained. “But if it’s done correctly and they hire and empower the right leader, they can affect change across the industry.”

The question of how quickly the matter of change would trickle down to private healthcare entities is also one that needs to be assessed.