Bipartisan House bill would designate cybersecurity chief for HHS

The legislation would adjust the structure of HHS’ cybersecurity personnel and assign a single officer to cybersecurity who would report to the secretary.
By Jessica Davis
03:54 PM
health and human services security

Reps. Billy Long, R-Missouri, and Doris Matsui, D-California, introduced a bill Wednesday that would allow the Department of Health and Human Services to restructure its cybersecurity personnel and allow the secretary to assign a single officer focused on cybersecurity.

Currently, HHS’ chief of security reports to its chief information officer. The CIO reports to the assistant secretary for administration.

In 2015, the U.S. House Committee on Energy and Commerce sought to change that structure, by placing the CISO and CIO on equal ground.

[Also: State, local health agencies moving faster towards cloud, mobile, cybersecurity]

It recommended HHS reorganize its structure to move the CISO under General Counsel -- and the same level as the CIO, citing “systemic weaknesses in the traditional CIO-CISO organizational structure.”

Such a move would address issues with the current structure that keep the CISO from equal footing with the CIO.

The proposed bill would also require HHS to develop and submit a cybersecurity plan that describes how the agency intends to protect internal data and software from compromise and how it will assist other organizations within the healthcare system.

[Also: OCR privacy chief steps down to work on Silicon Valley startup]

Further, HHS would have to show how it plans to differentiate those two roles.

“Patients deserve to know that their medical information is safe, and hospitals, manufacturers and insurance companies that handle patient data need guidance to ensure they are following best practices,” said Matsui.

“This bill builds on the legislation Congressman Long and I introduced last Congress, further encouraging HHS to implement the appropriate internal infrastructure that will ensure the agency is prepared to lead the healthcare industry in cybersecurity,” she added

This is not the first congressional bill to zero-in on HHS’ infrastructure.

After the WannaCry attacks, a House Science subcommittee expressed concern that the agency’s plan to form a Health Cybersecurity and Communications Integration Center would be redundant, as the Department of Homeland Security already has a similar hub in place.

Twitter: @JessieFDavis
Email the writer: