Experts weigh in on elevating CISO within HHS to improve cybersecurity

Several data security experts testified before a congressional panel in favor of a House proposal to elevate HHS’s chief information security officer (CISO) to a separate office, while one expressed concerns about making the office a presidential appointment.

Speaking before the House Energy and Commerce Committee May 25, witnesses emphasized that making the CISO a peer of the chief information officer (CIO), rather than a subordinate, mirrors what private companies are doing.

“Elevating the CISO to be a peer of the CIO reflects the recognition that information security has evolved into a risk-management activity, historically the purview of other executives,” said Samantha Burch, senior director of congressional affairs for the Health Information and Management System Society. “In the private sector context, this recognition requires not just a revised job description, but a removal of the traditional subordination of the information security program to the information technology program to create a direct channel” to senior executives.

Burch advised that changes shouldn’t end at reshuffling offices, suggesting information sharing must be improved if the newly elevated CISO is to take action to address security issues.

Support for the idea wasn’t unanimous. Speaking on behalf of the College of Healthcare Information Management Executives (CHIME), Intermountain Healthcare CIO Marc Probst suggested the reorganization doesn’t matter as much as reprioritizing security.  

“Coordination is key and cooperation and architecting how you’re going to do security is the probably most important aspect, I think, of cybersecurity, not necessarily where an individual reports,” Probst said. “If the strategy is by raising a particular position, and that’s somehow going to raise cybersecurity, I don’t think that’s the case.”

In his written testimony, Probst also expressed concerns about making the CISO a presidential appointment, writing “we’ve seen other instances where politicizing a role can hamper an agency’s ability to affect change.”

Elevating the CISO was the top recommendation of an August 2015 report by the Energy and Commerce Committee, which placed some of the blame for data breaches at the FDA in 2013 on the current CIO-CISO organizational structure.

Lawmakers on the committee said there’s some degree of urgency to address those cybersecurity concerns at HHS before a major cyberattack occurs.

“We’ve learned that there are fundamental weaknesses in the foundation of data security at every major division of HHS and that hardly inspires confidence,” said Rep. Michael Burgess, R-Texas. “Although the breaches and vulnerabilities at HHS have been not as serious as ransomware attacks in the private sector, there’s no reason in the world to just sit back and wait for that disaster to happen and then be tasked with examining smoking ruins.”

Committee chairman Joe Pitts, R-Pa., said HHS was asked to testify, but nobody from the agency could appear. He promised the committee would consult the agency before advancing the legislation.