Congress to Establish Chief Information Security Officer Within HHS

BobGrant1By Bob Grant, Chief Strategy Officer, Compliancy Group
Twitter: @compliancygroup

A bill to establish an Office of the Chief Information Security Officer (CISO) at the Department of Health and Human Services (HHS) was introduced in the House of Representatives. The office would issue guidance to better protect sensitive personal information and data from potential exposure to cyber-attacks.

Reps. Billy Long (R-Mo.) and Doris Matsui (D-Calif.) sponsored the HHS Data Protection Act of 2016, which seeks to make the CISO the “primary authority for information security.”

The legislation has been created in light of a year-long investigation by the House Energy and Commerce Committee regarding security protocols at HHS. In a report published in August 2015, congressional investigators found “serious structural flaws” in HHS’ current protocols, resulting in numerous security deficiencies. Investigators reported that these problems leave operation divisions of the department vulnerable to cyber-attacks.

The existing information security regime is “poorly structured,” according to the committee’s report. In the last three years, five HHS operation divisions have been compromised, including a serious breach of the Food and Drug Administration’s internal network back in October of 2013.

The newly proposed legislation will be beneficial in making security a primary focus within HHS. Lawmakers say that the reorganization will be the first step in creating a system to incentivize better security measures.

The plan builds on the Cybersecurity National Action Plan, which is designed to enhance cybersecurity protections, Long and Matsui said. The plan also recognizes the need for a Chief Information Security Officer in improving security measures. This new bill comes on the heels of the Obama Administration’s creation of the Federal Chief Information Security Officer position earlier this year, a position focused exclusively on cybersecurity operations.

The bill also comes in the aftermath of several ransomware and cyber-attacks to various health care organizations throughout the US. Since the start of the year, there have been five large-scale ransomware attacks to hospitals in the US and Canada. HHS has released some guidance on the issue so far, and it seems that creating the CISO position is just another step toward addressing this growing problem.

Because digital information is becoming integrated into most aspects of our daily lives, the importance of cybersecurity has grown dramatically. As cyber criminals become more sophisticated, operational structures must grow in tandem in order to deter them. This legislation will encourage the best security practices and organizational efficiency as federal agencies confront newfound cyber threats head on.

About the Author: Bob Grant is the Chief Strategy Officer of the Compliancy Group. The Compliancy Group offers a suite of products and solutions to help you meet HIPAA Compliance. Attend one of their upcoming free educational webinars or schedule a demo of the company’s all-in-one compliance product, The Guard. This article was originally published on the Compliancy Group blog and is republished here with permission.