A bill introduced in the House of Representatives would establish an Office of the Chief Information Security Officer at the Department of Health and Human Services to better protect the sensitive personal data of the American people.

The HHS Data Protection Act of 2016, sponsored by Reps. Billy Long (R-Mo.) and Doris Matsui (D-Calif.), seeks to designate the CISO with primary responsibility on all matters of information security at the agency.

The legislation is in response to a year-long investigation by the House Energy and Commerce Committee into the information security protocols at HHS, which found numerous deficiencies stemming from what congressional investigators called “serious structural flaws.” Those problems have left the operating divisions of HHS vulnerable to cyber attacks, investigators contend.

Rep. Doris Matsui (D-Calif.)
Rep. Doris Matsui (D-Calif.) Photo Courtesy California State University-Sacramento

The agency’s information security regime is “poorly structured,” according to the committee’s report, and that has resulted in five HHS operating divisions being breached within the last three years, including an October 2013 breach of the Food and Drug Administration’s internal network. At FDA, the Centers for Medicare and Medicaid Services, and the Office of Civil Rights, security concerns were “subordinated to operational concerns,” the August 2015 report concluded.

In particular, lawmakers found that “when information security is put under the purview of the chief information officer, operations become the priority concern while security becomes a secondary interest.”

To address this organizational deficiency, the HHS Data Protection Act adopts the House report’s' recommendation to make the CISO the “primary authority for information security” and move all information security functions (including the CISO) to the general or chief counsel’s office, where reducing and mitigating risk is the primary function.

HHS does not comment on proposed or pending legislation, according to an agency spokesman.

“It is impossible to completely eradicate the threat of cyber-attacks, but the American people deserve to know that their sensitive information is being safeguarded with the utmost security,” Long said. “This legislation will restructure HHS leadership so that prioritization will be given to meeting the critical data security needs expressed by their Chief Information Security Officer, rather than letting the protection of our people’s personal data fall by the wayside.”

Both bill sponsors said their legislation builds on the Obama Administration’s Cybersecurity National Action Plan, a comprehensive strategy for enhancing cybersecurity protections which recognizes the importance of a Chief Information Security Officer in improving cybersecurity capabilities. Earlier this year, the Administration created the position of the Federal Chief Information Security Officer, the first-ever dedicated senior official in the Administration focused exclusively on coordinating cybersecurity operations across federal agencies.

“The integration of information technology into nearly every aspect of our daily lives means our security landscape has changed dramatically,” Matsui said. “As the network of cyber criminals becomes increasingly sophisticated, our operational structures and strategies must evolve accordingly. This common sense legislation incentivizes best security practices and encourages organizational efficiencies as our federal agencies continue to confront the modern threat environment.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access