A year-long investigation by the House Energy and Commerce Committee into information security protocols at the Department of Health and Human Services finds “serious structural flaws” that leave HHS vulnerable to cyber attacks.

“What we found is alarming and unacceptable,” said Committee Chairman Fred Upton (R-Mich.) and Oversight and Investigations Subcommittee Chairman Tim Murphy (R-Penn.), in a joint written statement. “At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack. With the recent Office of Personnel Management attack serving as another example of how wrong things can go, this report pulls back the curtain and sheds light on serious deficiencies in HHS’s information security practices.”

This “poorly-structured” information security regime, according to the congressional report, has resulted in five HHS operating divisions being breached within the last three years, including an October 2013 breach of the Food and Drug Administration’s internal network. At FDA, the Centers for Medicare and Medicaid Services, and the Office of Civil Rights, security concerns were “subordinated to operational concerns,” the report concludes.

Specifically, investigators found that “when information security is put under the purview of the chief information officer, operations become the priority concern while security becomes a secondary interest.” To address this organizational deficiency, the report recommends making the Chief Information Security Officer the “primary authority for information security” and moving all information security functions (including the CISO) to the general or chief counsel’s office, where reducing and mitigating risk is the primary function.

Also See: Why You Need a Chief Information Security Officer

“The separation of the management of information technology from the management of information security concerns would remove information security from the information technology ‘silo’ and would facilitate the inclusion of expertise across HHS in information security decisions,” states the report. “In particular, the placement of the CISO within the Office of the General or Chief Counsel specifically acknowledges that information security has evolved into a risk-management activity, traditionally the purview of the legal team. This reorganization is an important first step toward creating a system that incentivizes better security.”

In supporting its recommendation, congressional investigators noted that they spoke to several industry experts and analysts who described a growing trend in the private sector to restructure information security operations so that CISOs report to a senior executive other than the CIO.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access